0

I'm trying to hide some sensitive information about my application with docker secrets. I did great in most of them but I'm having trouble with the env of the database connection.

When I pass the string to connect the database through the secrets, I get this error:

sqlalchemy.exc.ArgumentError: Could not parse rfc1738 URL from string 'db_lang_driverdb_userdb_passworddb_hostdb_database'

I created the secrets in .txt files at my local machine.

This is my docker-compose file

version: '3.3'
services:
  stripe:
    image: stripe-full-env
    container_name: stripe
    ports:
      - "7000:7000"
    secrets:
      - stripe-secret-key
      - db_lang_driver
      - db_user
      - db_password
      - db_host
      - db_database
    environment:
      - STRIPE_SECRET_KEY=stripe-secret-key
      - DB_LANG_DRIVER=db_lang_driver
      - DB_USER=db_user
      - DB_PASSWORD=db_password
      - DB_HOST=db_host
      - DB_DATABASE=db_database
secrets:
  stripe-secret-key:
    file: ./stripe-secret-key.txt
  db_lang_driver:
    file: ./db_lang_driver.txt
  db_user:
    file: ./db_user.txt
  db_password:
    file: ./db_password.txt
  db_host: 
    file: ./db_host.txt
  db_database:
    file: ./db_database.txt

ALL of the ENV variables except the STRIPE_SECRET_KEY, are from the database connection string that I'm concatenating at the code written in python. The stripe-secret-key secret is doing ok. But when the code need to access the strConnection2, it doesn't get the information that is being passed by the secrets.

strConnection2 = os.getenv('DB_LANG_DRIVER') + os.getenv('DB_USER') + os.getenv('DB_PASSWORD') + os.getenv('DB_HOST') + os.getenv('DB_DATABASE')


if strConnection2 == None:
    raise TypeError("Database string not found")

engine = create_engine(
    strConnection2, 
    echo=False, 
    pool_recycle=900, 
    pool_pre_ping=True, 
    pool_size=1000,
    max_overflow=2000
)

I tried to use external and file secrets. Both showed the sql alchemy error.

Important. The same string when used in Dockerfile works fine to connect the database.

  • I tried using the string not concatenated with one long env variable.
  • Tried using the concatenated string with multiple env variables
  • Used external secrets in Swarm trough docker secret create
  • Used secrets created manually at my local machine
Improve this question
3
  • 1
    The values in the environment are the literal values from the docker compose file, for example B_LANG_DRIVER -> db_lang_driver. So your docker compose file isn't picking up the values from the environment. Are they being set? Commented Dec 22, 2022 at 20:55
  • I think so. I'm trying to pass them trough secrets that are created in a directory called "docker-secrets" in my root project folder. The fact that they have literally equal names is just for convenience. Commented Dec 22, 2022 at 21:04
  • I have exactly the same issue. Did you find a way ? Thx Commented Mar 28, 2023 at 18:19

1 Answer 1

Reset to default
0

Problem

The problem is that you are trying to assign to environment variables the contents of secrets, whereas in fact, they are just assigned the names of secretes.

For example:
Let's say that the value of the secrete db_user is gustavo. And when you're try to assign it's value to the environment variable DB_USER in docker-compose, you are getting DB_USER=db_user, but not DB_USER=gustavo.

Solution

By default all secrets in a container are stored as a file in the following location: /run/secrets/<secret_name>.
So, you can try to read content of these files in your program.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This seems like a brute-force solution. How could OP achieve what they are trying to do through the YAML configuration (and listed txt files)?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.