Docker Compose
Two approaches for injecting secrets into Docker Compose services.
Approach 1: Wrap the Command (Recommended)
Section titled “Approach 1: Wrap the Command (Recommended)”Run docker compose under skret run -- so all secrets are available as environment variables:
skret run -- docker compose up -dDocker Compose inherits the environment from its parent process. Secrets set by skret run are passed to containers via the environment directive in docker-compose.yml:
services: app: image: myapp:latest environment: - DATABASE_URL - REDIS_URL - API_KEYEach listed variable is forwarded from the host environment (set by skret) into the container. This is the cleanest approach — no .env file on disk.
With Makefile
Section titled “With Makefile”up-app: skret run -- docker compose up -d app
down-app: docker compose down app
logs: docker compose logs -f appApproach 2: Generate .env File
Section titled “Approach 2: Generate .env File”For tools or workflows that require a .env file:
skret env > .envdocker compose up -dReference in docker-compose.yml:
services: app: image: myapp:latest env_file: - .envDrawbacks:
- Secrets written to disk (even temporarily)
- Must regenerate
.envwhen secrets change - Must ensure
.envis in.gitignore
Atomic Update Pattern
Section titled “Atomic Update Pattern”If you must use .env, regenerate it before each start:
up-app: skret env > .env docker compose up -d app rm -f .env
down-app: docker compose down appApproach Comparison
Section titled “Approach Comparison”| Aspect | skret run -- | skret env > .env |
|---|---|---|
| Secrets on disk | No | Yes (temporary) |
| Auto-updates | Yes (fetched each run) | No (manual regenerate) |
| Works offline | Only with local provider | Yes, once generated |
| Docker Compose version | Any | Any |
| CI/CD friendly | Yes | Yes |
Multi-Environment
Section titled “Multi-Environment”# Start development services (pull from dev SSM path or local .secrets.dev.yaml)skret --env=dev run -- docker compose -f docker-compose.yml -f docker-compose.dev.yml up -d
# Start production servicesskret --env=prod run -- docker compose -f docker-compose.yml -f docker-compose.prod.yml up -dEnvironment names are whatever you defined in .skret.yaml — prod/dev is the minimal pair; add staging, qa, preview, etc. if your workflow needs them.
Migrating from .env
Section titled “Migrating from .env”If you currently use .env files with Docker Compose:
# 1. Import existing .env into skretskret import --from=dotenv --file=.env
# 2. Verify secrets were importedskret list
# 3. Switch docker-compose.yml from env_file to environment# Before:# env_file: .env# After:# environment:# - DATABASE_URL# - REDIS_URL
# 4. Run with skretskret run -- docker compose up -d
# 5. Remove .env once confirmedrm .env