How to access Docker Secrets in Node-RED Container

Hey everyone!
I am running Node-RED under Docker and for development I am setting some credentials for an external server as environment variables. However, in production use I want to set these credentials Docker Secrets, but I don't know how to access them inside the container.

Is anyone experienced with this topic? Or maybe there's a better way to hide credentials?

Thank you all in advance and have a great day!

Docker uses an in-memory filesystem for storing secrets. The secrets are standard files inside the container in /run/secrets/. So you should be able to use the file reader node in a flow.

Thank you! I think I've read this before but I wasn't able to integrate this in my project. But now it works :slight_smile:

So I revisited my project and I can now access the Docker secrets. However, I replaced the environment variables with the Docker secrets and now I have to change my function node.
Currently it is looking like this:

msg.payload = `
return msg;

Is there a way to replace the env.get(...) with Docker secrets?

You could load them into either env variables or global vars in your settings.js file.

Hmmm... sounds like a step backwards. Do you think it is reasonable to use Docker secrets instead of using the -e-flag and then loading the secrets as env variables? Would that be more secure than just passing them into the container as env variables?

And if so, how would you load them as env variables?

I don't use docker all that much so I'm not an expert. However, I would say yes, I think that is more secure since they will not be visible outside the container.

If you wanted more than that, I would likely recommend setting up a small, standalone node.js service within the container that consumed the secrets and exposed an API that node-red could access. Putting that in a separate container could allow another step up in security by limiting access between the containers. Node-RED itself can be an API service of course and running two node-red containers, one with just the secure stuff in and the other for general use would be a valid approach. But of course all of that requires more device resources.

1 Like

Okay, thank you :slight_smile: I will try and research more on that and if I find a solution that works for me, I will update

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.