snippetdockerMinor
Docker MongoDB image - How to specify credentials other than in the compose file?
Viewed 0 times
imagethefiledockerthanmongodbcredentialscomposehowother
Problem
I'm using this docker image https://hub.docker.com/_/mongo/. That image provides a way of initializing a mongodb root database user with env variables which I can specify in the compose file as follows:
It seems storing the password in config files is not very secure. How can I use more secure ways (i.e. docker secrets) to init the root user in this case? Same thing for initdb files, which I need to copy to the container and may as well contain more credentials.
I wonder if anyone here found a more secure way of handling this.
environment:
- MONGO_INITDB_DATABASE=db
- MONGO_INITDB_ROOT_USERNAME=root
- MONGO_INITDB_ROOT_PASSWORD=passIt seems storing the password in config files is not very secure. How can I use more secure ways (i.e. docker secrets) to init the root user in this case? Same thing for initdb files, which I need to copy to the container and may as well contain more credentials.
I wonder if anyone here found a more secure way of handling this.
Solution
Secrets support for mongo is built in. You can see in that image's entrypoint script that if you add
As for .js files, if you're storing decrypted passwords in those files, you'd need to make a custom entrypoint script or something that will take envvars you're passing in for which secrets to use and run a
_FILE to end of username/password values it will pull from those secret files.As for .js files, if you're storing decrypted passwords in those files, you'd need to make a custom entrypoint script or something that will take envvars you're passing in for which secrets to use and run a
jq or sed on the file to replace I guess. You can store the .js files themselves in a secret as longas its smaller than 500Kb (max size of a secret).Context
StackExchange DevOps Q#3599, answer score: 3
Revisions (0)
No revisions yet.