Secrets
Dagger allows you to utilize confidential information, such as passwords, API keys, SSH keys and so on, in your Dagger Modules and Dagger Functions, without exposing those secrets in plaintext logs, writing them into the filesystem of containers you're building, or inserting them into the cache.
Secrets can be passed to Dagger Functions as arguments using the Secret
core type. Here is an example of a Dagger Function which accepts a GitHub personal access token as a secret, and uses the token to authorize a request to the GitHub API:
- Go
- Python
- TypeScript
package main
import (
"context"
"fmt"
)
type MyModule struct{}
func (m *MyModule) GithubApi(ctx context.Context, endpoint string, token *Secret) (string, error) {
return dag.Container().
From("alpine:3.17").
WithExec([]string{"apk", "add", "curl"}).
WithSecretVariable("GITHUB_TOKEN", token).
WithExec([]string{"sh", "-c", fmt.Sprintf("curl \"%s\" --header \"Accept: application/vnd.github+json\" --header \"Authorization: Bearer $GITHUB_TOKEN\"", endpoint)}).
Stdout(ctx)
}
import dagger
from dagger import dag, function, object_type
@object_type
class MyModule:
@function
async def github_api(self, endpoint: str, token: dagger.Secret) -> str:
return await (
dag.container()
.from_("alpine:3.17")
.with_exec(["apk", "add", "curl"])
.with_secret_variable("GITHUB_TOKEN", token)
.with_exec(
[
"sh",
"-c",
f"""curl "{endpoint}" --header "Accept: application/vnd.github+json" --header "Authorization: Bearer $GITHUB_TOKEN" """,
]
)
.stdout()
)
import { dag, object, func, Secret } from "@dagger.io/dagger"
@object()
class MyModule {
@func()
async githubApi(endpoint: string, token: Secret): Promise<string> {
const plaintext = await token.plaintext()
return await dag
.container()
.from("alpine:3.17")
.withExec(["apk", "add", "curl"])
.withSecretVariable("GITHUB_TOKEN", token)
.withExec([
"sh",
"-c",
`curl "${endpoint}" --header "Accept: application/vnd.github+json" --header "Authorization: Bearer $GITHUB_TOKEN"`,
])
.stdout()
}
}
When invoking the Dagger Function using the Dagger CLI, secrets can be sourced from host environment variables (env:
), the host filesystem (file:
) or the result of host command execution (cmd:
).
Here is an example call for this Dagger Function, with the secret sourced from a host environment variable named GITHUB_API_TOKEN
:
dagger call github-api --endpoint=https://api.github.com/repos/dagger/dagger/issues --token=env:
GITHUB_API_TOKEN
Secrets can also be passed from a host file using the file
source:
dagger call github-api --endpoint=https://api.github.com/repos/dagger/dagger/issues --token=file:./github.txt
...or as the result of executing a command on the host using the cmd
source:
dagger call github-api --endpoint=https://api.github.com/repos/dagger/dagger/issues --token=cmd:"gh auth token"
Dagger automatically scrubs secrets from its various logs and output streams. This ensures that sensitive data does not leak - for example, in the event of a crash.