View on GitHub

Arcus Security

Azure Security development in a breeze

Docker Secrets secret provider

This provider allows you to work with Docker secrets. When using Docker secrets in Docker Swarm, the secrets are injected in the Docker container as files.
The Docker secrets secret provider provides access to those secrets via the secret store.

This secret provider offers functionality which is equivalent to the KeyPerFile Configuration Provider, but instead of adding the secrets to the Configuration, this secret provider allows access to the Docker Secrets via the ISecretProvider interface.


Adding secrets from the User Secrets manager into the secret store requires following package:

PM > Install-Package Arcus.Security.Providers.DockerSecrets


After installing the package, the addtional extensions becomes available when building the secret store.

using Microsoft.Extensions.Hosting;

public class Program
    public static void Main(string[] args)

    public static IHostBuilder CreateHostBuilder(string[] args)
        return Host.CreateDefaultBuilder(args)
                   .ConfigureSecretStore((context, config, builder) =>
                        // Adds the secrets that exist in the "/run/secrets" directory to the ISecretStore
                        // Docker secrets are by default mounted into the /run/secrets directory
                        // when using Linux containers on Docker Swarm.
                        builder.AddDockerSecrets(directoryPath: "/run/secrets");
                    .ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());

Retrieving secrets

Suppose you have the following docker-compose file:

version: '3.8'
    image: person-api:latest
        - 5555:80
        - ConnectionStrings__PersonDatabase

    external: true

After adding the Docker Secrets secret provider to the secret store, the Docker secrets can simply be retrieved by calling the appropriate methods on the ISecretProvider:

using Arcus.Security.Core;

namespace Application.Controllers
    public class PersonController
        private readonly ISecretProvider _secrets;

        public PersonController(ISecretProvider secrets)
            _secrets = secrets;

        public async Task GetPerson(Guid personId)
            string connectionstring = await _secrets.GetRawSecretAsync("ConnectionStrings:PersonDatabase")

           using (var connection = new SqlDbConnection(connectionstring))
               var person = new PersonRepository(connection).GetPersonById(personId);
               return Ok(new { Id = person.Id, Name = person.Name });

← back