From d60df21dda179cd88e4d87f7e95047b659ce6286 Mon Sep 17 00:00:00 2001 From: Emanuel Fernandes Date: Sun, 13 Feb 2022 20:10:52 +0000 Subject: [PATCH] Add an example of accessing the secrets file without root permissions --- docs/advanced/secrets.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/advanced/secrets.md b/docs/advanced/secrets.md index d7dc54f..9923ac8 100644 --- a/docs/advanced/secrets.md +++ b/docs/advanced/secrets.md @@ -13,6 +13,23 @@ RUN --mount=type=secret,id=github_token \ cat /run/secrets/github_token ``` +If you need access to the `secrets` file from a non-root user, you'll need to set the `uid` in the `--mount` argument: + +```Dockerfile +#syntax=docker/dockerfile:1.2 + +FROM alpine + +# Create non-root user +RUN addgroup -S newuser && adduser -u 1001 -S -g newuser newuser + +# Run everything after as non-privileged user. +USER newuser + +RUN --mount=type=secret,uid=1001,id=github_token \ + cat /run/secrets/github_token +``` + As you can see we have named our secret `github_token`. Here is the workflow you can use to expose this secret using the [`secrets` input](../../README.md#inputs):