a year ago
Hello all, I'm wondering how it might be possible to securely pass secrets from the Railway environment variables at build time.
Specifically, in my Dockerfile, I would like to configure a private Python package index as a package source, and configure its credentials. The idea is that these will come from the Railway environment variables. But if I pass them in as ARGs, like it says to do in these Railway docs, they will be visible in the build logs, which isn't very secure.
Is there a way to accomplish this so that:
I can configure my private package index during build time to install dependencies
The credentials will not be output anywhere
I appreciate any input. Thank you!
15 Replies
a year ago
I'm 99% sure ARG lines aren't just blindly printed to stdout
a year ago
let's see please?
a year ago
that's because you are passing them in as flags to a command, the ARG lines themselves aren't printed
My question is then, how can I pass secrets into commands here without them being printed?
a year ago
does poetry not support reading from environment variables?
It does - this is the relevant section of the Dockerfile:
ARG POETRY_HTTP_BASIC_DUMMY_USERNAME
ARG POETRY_HTTP_BASIC_DUMMY_PASSWORD
RUN poetry config http-basic.dummypypi $POETRY_HTTP_BASIC_DUMMY_USERNAME $POETRY_HTTP_BASIC_DUMMY_PASSWORDa year ago
thats passing them in as flags, that isn't uv reading them from the env directly
I'll look into this; I haven't seen a way to read directly from env variables but I may have missed it in the docs. I'll post with an update when I'm able to find more information
a year ago
sounds good!
@Brody I've tested this and it doesn't seem that the Railway environment variables are available to Poetry during build. I tried accessing a real private pypi, without including the config/credentials run command, and it failed to access the pypi with an authentication error.
I know Brody's already helping you out here Lara but I thought I'd add my 2c.
Personally when it comes to provisioning / bootstrapping services with Secrets I use 1Password. If you're in a big environment you might want to setup their connect server, otherwise you can set up a service account. This also avoids any secret sprawl you might have, and also lets you audit usage, or roll secrets should you need to. https://developer.1password.com/docs/service-accounts/
They have integrations for the major CI providers, but you can also stand up your own connect server (I did this tonight in my railway environment) to proxy out via the sync service should you want to do it that way instead of having every request go over the wire. I bootstrapped the connect service by encoding my json payload as a base64 string and setting it to the OP_SESSION environment variable and then immediately sealing it before deploying it.
Doing this during Railway's build-time is an interesting idea, I've yet to play around with that but I don't see why it couldn't be done.
