Docker build_args_from_env printed with plugins/docker 0.8

Simple requirement of using secrets inside a docker build. We use secrets for the same and pass them as build args:

pipeline:
  build:
    image: plugins/docker
    repo: razorpay/creevey
    secrets: [supersecret]
    build_args_from_env: [supersecret]

The Drone build shows the following output:

+ /usr/local/bin/docker build --rm=true -f Dockerfile -t 19c6c5a18f7d84c02c0d7caf10629d2d9fccdc82 . --pull=true --build-arg supersecret=thisissupersecret --build-arg SUPERSECRET=thisissupersecret --label org.label-schema.build-date=2018-04-23T08:10:26Z --label org.label-schema.vcs-ref=19c6c5a18f7d84c02c0d7caf10629d2d9fccdc82 --label org.label-schema.vcs-url=https://github.com/razorpay/creevey.git
Sending build context to Docker daemon 565.2kB

We are using the recommended configuration from Passing Secrets as Build Arguments, plugins/Docker to pass build_args and it is printing out secrets to the log for us.

because secrets are injected as uppercase environment variables, you need to make the following adjustment to your configuration:

pipeline:
  build:
    image: plugins/docker
    repo: razorpay/creevey
    secrets: [supersecret]
-   build_args_from_env: [supersecret]
+    build_args_from_env: [SUPERSECRET]

Never thought of trying case change, thanks.

Tried all possible combinations of case and nothing seems to work. With this setup:

pipeline:
  build:
    image: plugins/docker
    repo: razorpay/creevey
    secrets: [supersecret]
    build_args_from_env: [SUPERSECRET]

# https://github.com/rickypc/docker-python-firefox-xvfb
FROM alpine:3.6

The build args still get printed:

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
+ /usr/local/bin/docker build --rm=true -f Dockerfile -t 049f2d528b7852fac9038721e2e21f88e4e1e168 . --pull=true --build-arg SUPERSECRET=something --build-arg SUPERSECRET=something --label org.label-schema.build-date=2018-04-23T19:07:00Z --label org.label-schema.vcs-ref=049f2d528b7852fac9038721e2e21f88e4e1e168 --label org.label-schema.vcs-url=https://github.com/razorpay/creevey.git
Sending build context to Docker daemon 567.3kB

From a very cursory look at the source code, it looks like the trace function is always getting called.

Sorry, not sure I understand the previous post. Your example output would seem to suggest the secrets are working as expected, assuming something is the secret you wanted injected as a build argument.

--build-arg SUPERSECRET=something

But in general I can confirm that there are no known issues with secrets and build_args_from_env. You should make sure you secrets are configured correctly, as described here. If you need more hands on assistance, we also offer enterprise support.

Sorry, I should have been clearer in the original post. While secrets seem to be working exactly as expected (they get passed as build args), printing secrets during builds looks like a security issue, no?

We don’t want all of our users to be able to view secrets that easily.

@bradrydzewski Can you confirm if this is a security issue? (printing of secrets in build logs without debug mode being enabled). We’re happy to file a fix if you can confirm this.

@bradrydzewski Sorry for bumping this again, but I still can’t figure out a way to not print secret build args with the docker plugin.

Printing secrets on build logs is just breaking our security workflow.

Hi there,
I’m facing the exact same issue. I’m passing few drone secrets to build_from_env. Everything works perfectly, but in the drone log, the secrets are getting printed. Is there any way i can prevent this printing?

Relevant drone.yaml snippet below.

secrets: [ docker_username, docker_password, user_name, password ]
build_args_from_env: [ user_name, password ]
when:
branch:
- master

there is nothing you can do in older versions of Drone, however, this has been resolved in newer versions 1.0 and higher.