Secrets
Dagger allows you to utilize confidential information, such as passwords, API keys, SSH keys and so on, in your Dagger Modules and Dagger Functions, without exposing those secrets in plaintext logs, writing them into the filesystem of containers you're building, or inserting them into the cache.
Secrets can be passed to Dagger Functions as arguments using the Secret core type. Here is an example of a Dagger Function which accepts a GitHub personal access token as a secret, and uses the token to authorize a request to the GitHub API:
import { dag, object, func, Secret } from "@dagger.io/dagger"
@object()
class MyModule {
@func()
async githubApi(endpoint: string, token: Secret): Promise<string> {
const plaintext = await token.plaintext()
return await dag
.container()
.from("alpine:3.17")
.withExec(["apk", "add", "curl"])
.withExec([
"sh",
"-c",
`curl "${endpoint}" --header "Accept: application/vnd.github+json" --header "Authorization: Bearer ${plaintext}"`,
])
.stdout()
}
}
When invoking the Dagger Function using the Dagger CLI, secrets can be sourced from host environment variables (env:), the host filesystem (file:) or the result of host command execution (cmd:).
Here is an example call for this Dagger Function, with the secret sourced from a host environment variable named GITHUB_API_TOKEN:
dagger call github-api --endpoint=https://api.github.com/repos/dagger/dagger/issues --token=env:
GITHUB_API_TOKEN
Secrets can also be passed from a host file using the file source:
dagger call github-api --endpoint=https://api.github.com/repos/dagger/dagger/issues --token=file:./github.txt
...or as the result of executing a command on the host using the cmd source:
dagger call github-api --endpoint https://api.github.com/repos/dagger/dagger/issues --token cmd:"gh auth token"
Dagger automatically scrubs secrets from its various logs and output streams. This ensures that sensitive data does not leak - for example, in the event of a crash.