---
title: Build secrets
linkTitle: Secrets
weight: 30
description: Manage credentials and other secrets securely
keywords: build, secrets, credentials, passwords, tokens, ssh, git, auth, http
tags: [Secrets]
---
A build secret is any piece of sensitive information, such as a password or API
token, consumed as part of your application's build process.
Build arguments and environment variables are inappropriate for passing secrets
to your build, because they persist in the final image. Instead, you should use
secret mounts or SSH mounts, which expose secrets to your builds securely.
## Types of build secrets
- [Secret mounts](#secret-mounts) are general-purpose mounts for passing
secrets into your build. A secret mount takes a secret from the build client
and makes it temporarily available inside the build container, for the
duration of the build instruction. This is useful if, for example, your build
needs to communicate with a private artifact server or API.
- [SSH mounts](#ssh-mounts) are special-purpose mounts for making SSH sockets
or keys available inside builds. They're commonly used when you need to fetch
private Git repositories in your builds.
- [Git authentication for remote contexts](#git-authentication-for-remote-contexts)
is a set of pre-defined secrets for when you build with a remote Git context
that's also a private repository. These secrets are "pre-flight" secrets:
they are not consumed within your build instruction, but they're used to
provide the builder with the necessary credentials to fetch the context.
## Using build secrets
For secret mounts and SSH mounts, using build secrets is a two-step process.
First you need to pass the secret into the `docker build` command, and then you
need to consume the secret in your Dockerfile.
To pass a secret to a build, use the [`docker build --secret`
flag](/reference/cli/docker/buildx/build.md#secret), or the
equivalent options for [Bake](../bake/reference.md#targetsecret).
{{< tabs >}}
{{< tab name="CLI" >}}
```console
$ docker build --secret id=aws,src=$HOME/.aws/credentials .
```
{{< /tab >}}
{{< tab name="Bake" >}}
```hcl
variable "HOME" {
default = null
}
target "default" {
secret = [
"id=aws,src=${HOME}/.aws/credentials"
]
}
```
{{< /tab >}}
{{< /tabs >}}
To consume a secret in a build and make it accessible to the `RUN` instruction,
use the [`--mount=type=secret`](/reference/dockerfile.md#run---mounttypesecret)
flag in the Dockerfile.
```dockerfile
RUN --mount=type=secret,id=aws \
AWS_SHARED_CREDENTIALS_FILE=/run/secrets/aws \
aws s3 cp ...
```
## Secret mounts
Secret mounts expose secrets to the build containers, as files or environment
variables. You can use secret mounts to pass sensitive information to your
builds, such as API tokens, passwords, or SSH keys.
### Sources
The source of a secret can be either a
[file](/reference/cli/docker/buildx/build.md#file) or an
[environment variable](/reference/cli/docker/buildx/build.md#env).
When you use the CLI or Bake, the type can be detected automatically. You can
also specify it explicitly with `type=file` or `type=env`.
The following example mounts the environment variable `KUBECONFIG` to secret ID `kube`,
as a file in the build container at `/run/secrets/kube`.
```console
$ docker build --secret id=kube,env=KUBECONFIG .
```
When you use secrets from environment variables, you can omit the `env` parameter
to bind the secret to a file with the same name as the variable.
In the following example, the value of the `API_TOKEN` variable
is mounted to `/run/secrets/API_TOKEN` in the build container.
```console
$ docker build --secret id=API_TOKEN .
```
### Target
When consuming a secret in a Dockerfile, the secret is mounted to a file by
default. The default file path of the secret, inside the build container, is
`/run/secrets/<id>`. You can customize how the secrets get mounted in the build
container using the `target` and `env` options for the `RUN --mount` flag in