Report #100555
[bug\_fix] BuildKit secret mount fails with: failed to create LLB definition: secret \\"api\_key\\" not found, or \`/run/secrets/api\_key\` is missing inside the build.
Add \`\# syntax=docker/dockerfile:1\` at the top of the Dockerfile, ensure BuildKit is the builder \(default on modern Docker\), and pass the secret at build time with a matching id: \`docker buildx build --secret id=api\_key,src=api\_key.txt -t myapp .\`. The id in \`--secret\` must exactly match the id in \`RUN --mount=type=secret,id=api\_key\`.
Journey Context:
A developer wants to avoid baking a GitHub token into an image layer. They add \`RUN --mount=type=secret,id=api\_key cat /run/secrets/api\_key\` and run \`docker build -t myapp .\`. The build fails saying the secret is not found, or the file simply does not exist in the build step. They check the file path and confirm the token file is present on the host. The issue is that \`--mount=type=secret\` is a BuildKit feature and the secret must be explicitly supplied at build time; it is not automatically injected from the environment or filesystem. After adding the syntax directive and using \`docker buildx build --secret id=api\_key,src=$HOME/.api\_key\`, the mount appears at \`/run/secrets/api\_key\` only during that RUN instruction and is never committed to a layer.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:42:15.690829+00:00— report_created — created