github.com/containers/podman/v5@v5.1.0-rc1/docs/source/markdown/options/secret.md

github.com/containers/podman/v5@v5.1.0-rc1/docs/source/markdown/options/secret.md (about)

     1  ####> This option file is used in:
     2  ####>   podman create, run
     3  ####> If file is edited, make sure the changes
     4  ####> are applicable to all of those.
     5  #### **--secret**=*secret[,opt=opt ...]*
     6  
     7  Give the container access to a secret. Can be specified multiple times.
     8  
     9  A secret is a blob of sensitive data which a container needs at runtime but
    10  is not stored in the image or in source control, such as usernames and passwords,
    11  TLS certificates and keys, SSH keys or other important generic strings or binary content (up to 500 kb in size).
    12  
    13  When secrets are specified as type `mount`, the secrets are copied and mounted into the container when a container is created.
    14  When secrets are specified as type `env`, the secret is set as an environment variable within the container.
    15  Secrets are written in the container at the time of container creation, and modifying the secret using `podman secret` commands
    16  after the container is created affects the secret inside the container.
    17  
    18  Secrets and its storage are managed using the `podman secret` command.
    19  
    20  Secret Options
    21  
    22  - `type=mount|env`    : How the secret is exposed to the container.
    23                          `mount` mounts the secret into the container as a file.
    24                          `env` exposes the secret as an environment variable.
    25                          Defaults to `mount`.
    26  - `target=target`     : Target of secret.
    27                          For mounted secrets, this is the path to the secret inside the container.
    28                          If a fully qualified path is provided, the secret is mounted at that location.
    29                          Otherwise, the secret is mounted to
    30                          `/run/secrets/target` for linux containers or
    31                          `/var/run/secrets/target` for freebsd containers.
    32                          If the target is not set, the secret is mounted to `/run/secrets/secretname` by default.
    33                          For env secrets, this is the environment variable key. Defaults to `secretname`.
    34  - `uid=0`             : UID of secret. Defaults to 0. Mount secret type only.
    35  - `gid=0`             : GID of secret. Defaults to 0. Mount secret type only.
    36  - `mode=0`            : Mode of secret. Defaults to 0444. Mount secret type only.
    37  
    38  
    39  Examples
    40  
    41  Mount at `/my/location/mysecret` with UID 1:
    42  ```
    43  --secret mysecret,target=/my/location/mysecret,uid=1
    44  ```
    45  
    46  Mount at `/run/secrets/customtarget` with mode 0777:
    47  ```
    48  --secret mysecret,target=customtarget,mode=0777
    49  ```
    50  
    51  Create a secret environment variable called `ENVSEC`:
    52  ```
    53  --secret mysecret,type=env,target=ENVSEC
    54  ```