Skip to content

docker.secrets.src Not Templatable #9850

New issue
New issue
Open
Open
docker.secrets.src Not Templatable#9850
@Lawrence-Godfrey

Description

@Lawrence-Godfrey
Lawrence-Godfrey
opened on Aug 15, 2025

Tried to find a duplicate issue but couldn't.
#4106 and #1458 are relevant.

Problem

I need to download files from GCS within a docker build step. This requires authentication. The correct way to pass in the secret is using mount=type=secret, and then have something like this in skaffold:

      docker:
        dockerfile: dockerfiles/Dockerfile
        secrets:
          - id: gcp-credentials
            src: ~/.config/gcloud/application_default_credentials.json

However, the src directory for credentials changes between environments. Locally it will be application default credentials, while in Github runners the name will change with each run (using the google-github-auth action).
I could also use the env, like this:

      docker:
        dockerfile: dockerfiles/Dockerfile.embeddings
        secrets:
          - id: gcp-credentials
            env: GCP_CREDENTIALS_JSON

but this requires then manually setting GCP_CREDENTIALS_JSON to the contents of the file specified by GOOGLE_APPLICATION_CREDENTIALS. As far as I can tell this can't be done with pre-build hook commands, either because the environment variables they export don't persist correctly, or because the env: GCP_CREDENTIALS_JSON part is resolved before the commands run and so don't have access to the variable, I'm not sure.

So without using pre-build hooks I would need to run commands before running skaffold dev/deploy, like:

  # Set default if not already set
  export GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS:-~/.config/gcloud/application_default_credentials.json}

  # Then export the JSON content for the build secret
  export GCP_CREDENTIALS_JSON=$(cat "$GOOGLE_APPLICATION_CREDENTIALS")

  # Now run Skaffold
  skaffold dev

which is a bit messy.

Solution (?)

It would be great if the src was templatable, then I could just do:

      docker:
        dockerfile: dockerfiles/Dockerfile
        secrets:
          - id: gcp-credentials
            src: {{.GOOGLE_APPLICATION_CREDENTIALS}}

Or even

      docker:
        dockerfile: dockerfiles/Dockerfile
        secrets:
          - id: gcp-credentials
            src: "{{ cmd \"bash\" \"-c\" \"echo ${GOOGLE_APPLICATION_CREDENTIALS:-~/.config/gcloud/application_default_credentials.json}\" }}"

I know there's a bit of apprehension towards templating everything in Skaffold but this seems like a reasonable use-case, unless I am missing something and there's a completely different way to approach this?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions