Container Security (Env Passwords)

[shealavington]

Hi All,

I'm looking to modernise my Laravel application by moving it into an image for containerizing in the cloud. I'm curious what the Laravel Team, Laravel Community & Docker Community, or really any developer thinks about the situation I am in.

A colleague of mine (never used containers afaik) has raised a concern they have regarding the security of passing the DB_PASSWORD through the containers environment variables. They mentioned that they believe that passwords in the system environment variables at the root of the container would be dangerous.

Would you consider it safe enough to pass a docker container an environment variable containing the DB_PASSWORD? I believe that as a single application container, the risk is mitigated when using a VNetwork for database access.

I'm curious to know if anyone knows if it is considered safe or unsafe to pass DB_PASSWORD to a container, or if I should be highly considering the use of a Key-Vault with custom authentication instead of using the env file or container env variables?

Any responses with opinions or experience are welcome. Request speed, developer ease of development, and low maintenance, are all highly important.

Thanks,
Shea