dotEnv
Integrations

Docker

Provide environment variables to Docker containers at build and runtime using the dotEnv CLI.

Back to all guides

Docker containers need their environment variables at runtime, not baked into the image. This guide shows how to deliver secrets from dotEnv Cloud into a container safely, keeping plaintext out of image layers and your Dockerfile.

Why not bake secrets into the image

Anything copied or set during docker build becomes part of an image layer, which is trivially inspectable. The correct approach is to fetch secrets at container start, or to pull them on the host and inject them with --env-file.

Option 1: an entrypoint that pulls at start

Install the CLI in your image, then have the entrypoint pull secrets and exec your application. The API key is provided to the running container, never the build:

Dockerfile
FROM node:20-slim
RUN apt-get update && apt-get install -y curl \
  && curl -sSL https://dotenv.cloud/install.sh | bash
WORKDIR /app
COPY . .
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
entrypoint.sh
#!/bin/sh
set -e
# Pull secrets into the process environment, then run the app
eval "$(dotenv export my-app/production/api --format=shell)"
exec node server.js

Run the container with the API key supplied at start time:

terminal
docker run -e DOTENV_API_KEY="$DOTENV_API_KEY" my-app

Option 2: pull on the host, inject with --env-file

If you would rather keep the CLI out of the image entirely, pull a .env file on the host and pass it to docker run:

terminal
# Generate the file on the host
dotenv pull my-app/production/api --output=.env
# Inject it at runtime (never COPY it into the image)
docker run --env-file .env my-app

Dockerfile-format output

The CLI can also emit ENV declarations in Dockerfile syntax with --format=dockerfile, which is handy when generating fragments for a build pipeline:

terminal
dotenv export my-app/production/api --format=dockerfile
If you generate Dockerfile ENV lines, treat the result as sensitive and never commit it, since the values end up in image layers.

Client-managed encryption

For client-managed projects, provide the key through DOTENV_CLIENT_KEY or mount a key file and pass --client-key=/run/secrets/dotenv.key. Combined with Docker secrets, the key never touches an image layer.

To take this into an orchestrator, continue with Kubernetes.