Build secrets from compose file are ignored if features are specified

[kahrpatrick]

Problem

When specifying features and dockerComposeFile in devcontainer.json, build secrets specified in the referenced compose file get ignored when generating the compose override file.

Building the container will exit with:

failed to solve: unexpected key 'env' in 'env=SOME_SECRET'
Error: Command failed: docker compose --project-name ...

Steps to reproduce

1. Create a compose file with build secrets:

---
services:
  my-service:
    image: my-image
    build:
      secrets:
        - some-secret
      ...
secrets:
  some-secret:
    file: /path/to/secret/file
...

2. Consume secrets in Dockerfile:

...

RUN --mount=type=secret,id=some-secret,env=SOME_SECRET ...
...

3. Create devcontainer configuration:

{
  ...
  "dockerComposeFile": "./my-compose.yml",
  "service": "my-service",
  "features": {
    "some-feature": {}
  }
  ...
}

4. Build the container with: devcontainer build --no-cache --workspace-folder . and observe failure log.
5. Comment the "features" option in the devcontainer config file and build with success.

Versions

devcontainer: 0.76.0
docker: 28.0.4
docker compose: 2.34.0
platform: Linux (6.6.85-2-MANJARO)

[scott-force]

I also ran into this exact problem in the same manner

failed to solve: unexpected key 'env' in 'env={MY_ENV_VAR}'

[sireeshajonnalagadda]

Hi @kahrpatrick,
you can consume secrets by exporting instead of the env variable in the RUN statement and features are work with the build secrets.
Hope this workaround helps! you can check it (here)

please feel free to reach out to me!

[kahrpatrick]

Hi @kahrpatrick, you can consume secrets by exporting instead of the env variable in the RUN statement and features are work with the build secrets. Hope this workaround helps! you can check it (here)

please feel free to reach out to me!

Hi, I think I do not fully understand your workaround. I want to pass secrets to the build context. The 'environment' option is not suitable for secrets and is not available at build-time.
If I run your example code it doesn't seem to work, /output.txt does not contain the secret value.

[sireeshajonnalagadda]

Hi @kahrpatrick,
Could you please provide the specific devcontainer configurations and steps you followed, as well as the objective you are aiming to achieve? Additionally, could you clarify the need to mount the secrets, and specify the type of secrets you are using?

I’ve tested this configuration on my end, and it worked successfully.

Dockerfile

FROM mcr.microsoft.com/vscode/devcontainers/python:3.9
WORKDIR /workspace
RUN --mount=type=secret,id=some-secret
cat /run/secrets/some-secret > /workspace/secret.txt
RUN --mount=type=secret,id=some-secret
export SOME_SECRET=$(cat /run/secrets/some-secret) &&
echo "The secret is: $SOME_SECRET" > /workspace/secret_output.txt

The file /workspace/secret_output.txt will contain the secret value within the container, provided it is specified in ./secrets/secret.txt, which is linked to the compose file.

devcontainer.json
{
"name": "My DevContainer",
"dockerComposeFile": "./docker-compose.yml",
"service": "my-service",
"workspaceFolder": "/workspace",
"features": {
""ghcr.io/devcontainers/features/docker-in-docker":{}
},
"postCreateCommand": "echo 'Container setup complete!'",
"remoteUser": "vscode"
}

Passing secrets to the build context

docker-compose.yml

version: '3.8'
services:
my-service:
build:
context: .
dockerfile: Dockerfile
secrets:
- some-secret
image: my-image
# Additional configurations
secrets:
some-secret:
file: ./secrets/secret.txt

Hope this workaround helps!
If you have any concerns or continue to experience issues after applying this workaround, please feel free to reach out to me.

Thanks,
sireesha

[sireeshajonnalagadda]

Hi @kahrpatrick ,
It’s been a month since our last communication, and I trust the issue has been resolved by now using the workaround provided.
I'll go ahead and close it.

If you have any further concerns, don't hesitate to reopen the issue!