DockerImageCode.from_image_asset incorrectly generating Docker build command

Question

I'm using CDK (Python) to define a Lambda container image to deploy using GitHub Actions:

```
github_token_value = "testtoken123" # example for testing purposes

DockerImageCode.from_image_asset(
            directory=".",
            file="docker/aws/Dockerfile.lambda.build",
            cmd=["lambda_handler.handler"],
            build_secrets={"github_token": github_token_value}
        )
```
The CDK should theoretically put the secret, in this case github_token_value, put it in a temporary file in the test runner.  Here's the Docker build command the CDK is generating:

```
docker build --secret id=github_token,testtoken123 ... . 
```

I'm getting the error:
```
exited with error code 1: ERROR: invalid field 'testtoken123' must be a key=value pair
```

I would expect something like this instead where the secret is stored in a key/value pattern in the file /path/to/temporary/file:
```
docker build --secret id=github_token,src=/path/to/temporary/file ... . 
```

Is there a bug with CDK?  I'm using AWS CDK lib version 2.200.  Yes, I have Docker BuildKit enabled.

re:Post Agent · Answer

It appears there is an issue with how the `build_secrets` parameter is being processed in your CDK code. The error you're seeing occurs because the Docker BuildKit expects secrets to be passed in a specific format.

When using `build_secrets` with `DockerImageCode.from_image_asset()` or similar methods, the CDK should indeed store the secret value in a temporary file and then reference that file in the Docker build command. The correct format for the `--secret` flag should be `--secret id=github_token,src=/path/to/temporary/file` as you mentioned.

The command being generated (`--secret id=github_token,testtoken123`) is incorrect - it's trying to use the actual token value directly in the command line rather than storing it in a file and referencing the file path.

This appears to be a bug in how the CDK is handling build secrets in version 2.200. You might want to:

1. Try updating to the latest CDK version to see if this has been fixed
2. As a workaround, you could create a temporary file with your secret and use the `build_args` parameter instead, with a reference to that file
3. File an issue in the AWS CDK GitHub repository to report this bug

Remember that Docker BuildKit must be enabled to use build secrets, which you've confirmed is the case in your environment.  
**Sources**  
[RepositoryImage — AWS Cloud Development Kit 2.201.0 documentation](https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ecs/RepositoryImage.html)  
[DockerImage — AWS Cloud Development Kit 2.201.0 documentation](https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_stepfunctions_tasks/DockerImage.html)  
[TagParameterContainerImage — AWS Cloud Development Kit 2.201.0 documentation](https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ecs/TagParameterContainerImage.html)  
[DockerImageFunction — AWS Cloud Development Kit 2.201.0 documentation](https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_lambda/DockerImageFunction.html)

DockerImageCode.from_image_asset incorrectly generating Docker build command

Add your answer

Relevant content