Set secret/config uid:gid to match container's USER

ndeloof · ndeloof · commit ee75be342b8d · 2025-10-16T17:43:04.000+02:00
Signed-off-by: Nicolas De Loof &lt;nicolas.deloof@gmail.com&gt;
diff --git a/pkg/compose/run.go b/pkg/compose/run.go
@@ -133,12 +133,17 @@ func (s *composeService) prepareRun(ctx context.Context, project *types.Project,
 		return "", err
 	}
 
-	err = s.injectSecrets(ctx, project, service, created.ID)
+	ctr, err := s.apiClient().ContainerInspect(ctx, created.ID)
+	if err != nil {
+		return "", err
+	}
+
+	err = s.injectSecrets(ctx, project, service, ctr.ID)
 	if err != nil {
 		return created.ID, err
 	}
 
-	err = s.injectConfigs(ctx, project, service, created.ID)
+	err = s.injectConfigs(ctx, project, service, ctr.ID)
 	return created.ID, err
 }
 
diff --git a/pkg/compose/secrets.go b/pkg/compose/secrets.go
@@ -22,13 +22,15 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/compose-spec/compose-go/v2/types"
 	"github.com/docker/docker/api/types/container"
 )
 
 func (s *composeService) injectSecrets(ctx context.Context, project *types.Project, service types.ServiceConfig, id string) error {
+	var ctrConfig *container.Config
 	for _, config := range service.Secrets {
 		file := project.Secrets[config.Source]
 		if file.Environment == "" {
@@ -53,6 +55,25 @@ func (s *composeService) injectSecrets(ctx context.Context, project *types.Proje
 			}
 			content = env
 		}
+
+		if config.UID == "" && config.GID == "" {
+			if ctrConfig == nil {
+				ctr, err := s.apiClient().ContainerInspect(ctx, id)
+				if err != nil {
+					return err
+				}
+				ctrConfig = ctr.Config
+			}
+
+			parts := strings.Split(ctrConfig.User, ":")
+			if len(parts) > 0 {
+				config.UID = parts[0]
+			}
+			if len(parts) > 1 {
+				config.GID = parts[1]
+			}
+		}
+
 		b, err := createTar(content, types.FileReferenceConfig(config))
 		if err != nil {
 			return err
@@ -69,6 +90,7 @@ func (s *composeService) injectSecrets(ctx context.Context, project *types.Proje
 }
 
 func (s *composeService) injectConfigs(ctx context.Context, project *types.Project, service types.ServiceConfig, id string) error {
+	var ctrConfig *container.Config
 	for _, config := range service.Configs {
 		file := project.Configs[config.Source]
 		content := file.Content
@@ -91,6 +113,24 @@ func (s *composeService) injectConfigs(ctx context.Context, project *types.Proje
 			config.Target = "/" + config.Source
 		}
 
+		if config.UID == "" && config.GID == "" {
+			if ctrConfig == nil {
+				ctr, err := s.apiClient().ContainerInspect(ctx, id)
+				if err != nil {
+					return err
+				}
+				ctrConfig = ctr.Config
+			}
+
+			parts := strings.Split(ctrConfig.User, ":")
+			if len(parts) > 0 {
+				config.UID = parts[0]
+			}
+			if len(parts) > 1 {
+				config.GID = parts[1]
+			}
+		}
+
 		b, err := createTar(content, types.FileReferenceConfig(config))
 		if err != nil {
 			return err
diff --git a/pkg/e2e/fixtures/env-secret/compose.yaml b/pkg/e2e/fixtures/env-secret/compose.yaml
@@ -14,6 +14,23 @@ services:
         mode: 0440
     command: cat /run/secrets/bar
 
+  bar:
+    image: alpine
+    user: "1005"
+    secrets:
+      - source: secret
+        target: bar
+    command: cat /run/secrets/bar
+
+  zot:
+    image: alpine
+    user: "1005:1005"
+    secrets:
+      - source: secret
+        target: bar
+    command: cat /run/secrets/bar
+
+
 secrets:
   secret:
     environment: SECRET
diff --git a/pkg/e2e/secrets_test.go b/pkg/e2e/secrets_test.go
@@ -40,6 +40,21 @@ func TestSecretFromEnv(t *testing.T) {
 			})
 		res.Assert(t, icmd.Expected{Out: "-r--r-----    1 1005     1005"})
 	})
+	t.Run("secret uid from user", func(t *testing.T) {
+		res := icmd.RunCmd(c.NewDockerComposeCmd(t, "-f", "./fixtures/env-secret/compose.yaml", "run", "bar", "ls", "-al", "/var/run/secrets/bar"),
+			func(cmd *icmd.Cmd) {
+				cmd.Env = append(cmd.Env, "SECRET=BAR")
+			})
+		res.Assert(t, icmd.Expected{Out: "-r--r--r--    1 1005     root"})
+	})
+	t.Run("secret uid:gid from user", func(t *testing.T) {
+		res := icmd.RunCmd(c.NewDockerComposeCmd(t, "-f", "./fixtures/env-secret/compose.yaml", "run", "zot", "ls", "-al", "/var/run/secrets/bar"),
+			func(cmd *icmd.Cmd) {
+				cmd.Env = append(cmd.Env, "SECRET=BAR")
+			})
+		res.Assert(t, icmd.Expected{Out: "-r--r--r--    1 1005     1005"})
+	})
+
 }
 
 func TestSecretFromInclude(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -133,12 +133,17 @@ func (s composeService) prepareRun(ctx context.Context, project types.Project,`
`133`	`133`	`return "", err`
`134`	`134`	`}`
`135`	`135`
`136`		`- err = s.injectSecrets(ctx, project, service, created.ID)`
	`136`	`+ ctr, err := s.apiClient().ContainerInspect(ctx, created.ID)`
	`137`	`+ if err != nil {`
	`138`	`+ return "", err`
	`139`	`+ }`
	`140`	`+`
	`141`	`+ err = s.injectSecrets(ctx, project, service, ctr.ID)`
`137`	`142`	`if err != nil {`
`138`	`143`	`return created.ID, err`
`139`	`144`	`}`
`140`	`145`
`141`		`- err = s.injectConfigs(ctx, project, service, created.ID)`
	`146`	`+ err = s.injectConfigs(ctx, project, service, ctr.ID)`
`142`	`147`	`return created.ID, err`
`143`	`148`	`}`
`144`	`149`