Search code examples
azuredocker-composeazure-web-app-servicedocker-swarmdocker-secrets

Error passing docker secrets to azure web app 'No such file or directory: '/run/secrets/'

I am relatively new to Docker and am currently building a multi-container dockerized azure web app (in flask). However, I am having some difficulty with secret management. I had successfully built a version that was storing app secrets through environment variables. But based on some recent reading it has come to my attention that that is not a good idea. I've been attempting to update my app to use Docker Secrets but have had no luck.

I have successfully created the secrets based on this post:

how do you manage secret values with docker-compose v3.1?

I have deployed the stack and verified that the secrets are available in both containers in /run/secrets/. However, when I run the app in azure I get an error.

Here are the steps I've taken to launch the app in azure.

docker swarm init --advertise-addr XXXXXX
$ echo "This is an external secret" | docker secret create my_external_secret 
docker-compose build
docker push
docker stack deploy -c *path-to*/docker-compose.yml  webapp

Next I'll restart the azure web app to pull latest images

Basic structure of the docker-compose is below.

version: '3.1'
services:
  webapp:
    build: .
    secrets:
      - my_external_secret
    image: some_azure_registry/flask_site:latest

  celery: 
    build: .
    command: celery worker -A tasks.celery --loglevel=INFO -P gevent
    secrets:
      - my_external_secret
    image: some_azure_registry.azurecr.io/flask_site_celery:latest


secrets:                        # top level secrets block
    - my_external_secret
      external: true

However, when I run the app in azure I get:

No such file or directory: '/run/secrets/my_external_secret

I can attach a shell to the container and successfully run: 

python
open('/run/secrets/*my_external_secret*', 'r').read().strip()

But when the above line is executed by the webapp it fails with the no file or directory error. Any help would be greatly appreciated.

Solution

  • Unfortunately, the secret at the top-level of docker-compose is not supported in Azure Web App for Container. Take a look below:

    Supported options

    • command
    • entrypoint
    • environment
    • image
    • ports
    • restart
    • services
    • volumes

    Unsupported options

    • build (not allowed)
    • depends_on (ignored)
    • networks (ignored)
    • secrets (ignored)
    • ports other than 80 and 8080 (ignored)

    For more details, see Docker Compose options.