I have a docker image (temporalio/server) that takes a path to a secrets file. I thought i would use Render’s Secrets File feature, which looks like exactly what i want:
however… when i run my build i get this bizarre error: Unable to create dynamic config client. Error: unable to read dynamic config: dynamic config file: /etc/secrets/development.yaml: open /etc/secrets/development.yaml: permission denied
(this is an improvement from before i entered in the secret file, where it reported a file does not exist error… )
so i know the file is there, but somehow it doesnt have the perms to be read. whats the point of a secret file that doesnt have read perms?? any idea how to fix this?
Hey there,
We’ve had a similar report of this with another Docker image, Kong. In that instance, the customer identified that it was down to the image switching user. They found that by switching back to the root user, accessing the secret file and then switching back to the none root they were able to access the file successfully.
I had the same issue here the only solution I could find was to modify my Dockerfile to run as root.
I’m looking into running Hashicorp Vault as my secrets manager instead of the built-in feature to get more control and security. Lack of user roles/permissions in Render (any team member can view/edit without version control) makes storing secrets via the secrets file a poor long term solution.
