Permission denied when accessing secrets

[dluo-sig]

Contributing guidelines

• [X] I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• [X] The documentation does not mention anything about my problem
• [X] There are no open or closed issues that are related to my problem

Description

I'm trying to pass secrets to use in the Dockerfile, but when setting it up based on some of the other examples that I've seen here, I'm getting a permission error.

Expected behaviour

I would expect that I can read my secret and export it into an env variable to use in the build session.

Actual behaviour

Permission denied error

Repository URL

No response

Workflow run URL

No response

YAML workflow

uses: docker/build-push-action@v4
        with:
          context: .
          build-args: ENVIRONMENT_NAME=prod
          secrets: |
            "OP_SERVICE_ACCOUNT_TOKEN=${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}"
          push: true
          tags: ${{ env.IMAGE_REGISTRY }}:${{ env.IMAGE_TAG }}-orchestration
          cache-from: type=gha
          cache-to: type=gha,mode=max

Dockerfile

FROM 1password/op:2

WORKDIR /opt/app
COPY . /opt/app

ARG ENVIRONMENT_NAME

RUN --mount=type=secret,id=OP_SERVICE_ACCOUNT_TOKEN \
  export OP_SERVICE_ACCOUNT_TOKEN=$(cat /run/secrets/OP_SERVICE_ACCOUNT_TOKEN) && \
  op inject -i src/elt_projects/dbt/profiles.${ENVIRONMENT_NAME}.yml -o src/elt_projects/dbt/profiles.yml --force

Workflow logs

#11 [stage-0 2/4] WORKDIR /opt/dagster/app
#11 DONE 0.9s
#12 [stage-1 2/7] WORKDIR /opt/dagster/app
#12 DONE 0.3s
#13 [stage-0 3/4] COPY . /opt/dagster/app
#13 DONE 0.0s
#14 [stage-0 4/4] RUN --mount=type=secret,id=OP_SERVICE_ACCOUNT_TOKEN   export OP_SERVICE_ACCOUNT_TOKEN=$(cat /run/secrets/OP_SERVICE_ACCOUNT_TOKEN) &&   op inject -i src/elt_projects/dbt/profiles.prod.yml -o src/elt_projects/dbt/profiles.yml --force
#14 1.072 cat: /run/secrets/OP_SERVICE_ACCOUNT_TOKEN: Permission denied

### BuildKit logs

_No response_

### Additional info

[crazy-max]

Might be related to the base image you are using 1password/op:2: https://explore.ggcr.dev/?blob=1password/op@sha256:df5061b63df9f13ef4e7ec7033d4f3be14236f08790f6d5e60e72bed36359ebc&mt=application%2Fvnd.oci.image.config.v1%2Bjson&size=1577&manifest=1password/op@sha256:c093f74945920677a6e8c2808e6603afe97c5d7844791c08bd3b2b2c7628a93b which sets a specific user USER opuser

As this base image seems to just ship op binary, can you try with the following dockerfile using another base to see if this is related?:

FROM debian:bookworm-slim

WORKDIR /opt/app
COPY . /opt/app

ARG ENVIRONMENT_NAME

RUN --mount=type=bind,from=1password/op:2,source=/usr/local/bin/op,target=/usr/bin/op \
    --mount=type=secret,id=OP_SERVICE_ACCOUNT_TOKEN \
  export OP_SERVICE_ACCOUNT_TOKEN=$(cat /run/secrets/OP_SERVICE_ACCOUNT_TOKEN) && \
  op inject -i src/elt_projects/dbt/profiles.${ENVIRONMENT_NAME}.yml -o src/elt_projects/dbt/profiles.yml --force

You can also set uid / gid attrs based on what we see in image config: https://explore.ggcr.dev/?blob=1password%2Fop%40sha256%3Adf5061b63df9f13ef4e7ec7033d4f3be14236f08790f6d5e60e72bed36359ebc&jq=.history%5B2%5D.created_by&manifest=1password%2Fop%40sha256%3Ac093f74945920677a6e8c2808e6603afe97c5d7844791c08bd3b2b2c7628a93b&mt=application%2Fvnd.oci.image.config.v1%2Bjson&render=created_by&size=1577

FROM 1password/op:2

WORKDIR /opt/app
COPY . /opt/app

ARG ENVIRONMENT_NAME

RUN --mount=type=secret,id=OP_SERVICE_ACCOUNT_TOKEN,uid=999,gid=999 \
  export OP_SERVICE_ACCOUNT_TOKEN=$(cat /run/secrets/OP_SERVICE_ACCOUNT_TOKEN) && \
  op inject -i src/elt_projects/dbt/profiles.${ENVIRONMENT_NAME}.yml -o src/elt_projects/dbt/profiles.yml --force

[dluo-sig]

That was it! It works fine with a different image. Appreciate all the detail on this, learned a few new tricks as well.