Changed permissions for secrets files?

I’m using a secrets file with a Docker service and prior to today the application was able to read the file. Per best practices, the entrypoint is run as a non-root user but now it appears that the secrets file is only readable by root. Is it possible to modify the permissions on the secrets file? I’d prefer not to run my application as root in the container.

Hi, it makes sense that you wouldn’t want to run your app as root inside the container, per Docker’s best practices. Docker’s documentation says that your container should not have root access, but root is required to run/start your container.

As far as secretes are concerned, they generally shouldn’t be readable by others. So I would expect a Docker secret to be used at build time before the container has started, but not from within the container. Sorry if I’m missing something about your workflow, can you share a little more detail about how you have this setup currently and what you are accomplishing with Docker Secrets in your app?

Hi @Aaron_Gruberg thanks for your reply!

Some of the secrets the application needs are required at build time but others are required at runtime. My project has a WordPress backend and a NextJS frontend and they both require API tokens, connection strings, etc. server side at runtime.

NextJS is also somewhat special in that the primary way of getting environment variables/configuration into the application is via an .env.production file which should be placed in the root of the repo. Since Render sets ownership to root:root my applications are now unable to read secrets files without running as root.

Are you using the Render secrets file from this page, or did you wind up mounting your own? I didn’t see a secrets file associated with your service, but the Render secrets file on this page should be helpful for storing secrets in Render. If you mounted your own secrets file, can you share more detail about how that part was setup?

I’m using the Render secrets file in the FE service associated with the Design Miami team.

I can see that Render places the secrets file in the app root but it’s not clear to me how ownership of this file gets set or whether it’s configurable