mirror/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-06-19 07:35:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(sandboxes): document multiple --host patterns for custom secrets

Browse Source 
sbx secret set-custom --host is now repeatable, so one secret entry can
cover multiple domains. Added a second example showing the multi-host
form and updated the prose to reflect that the proxy matches any of the
configured hosts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
David Karlsson
2026-06-11 13:53:28 +02:00
parent a5fd2021c7
commit bd25cced99
1 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/manuals/ai/sandboxes/security/credentials.md
+15 -3
View File
@@ -209,7 +209,7 @@ network policy. For details, see
For credentials that don't fit the service-identifier model — for example,
when an agent validates the environment variable format at boot, or when the
credential lands in a request body rather than a header — use
`sbx secret set-custom`. The secret is keyed on a target domain, an
`sbx secret set-custom`. The secret is keyed on one or more target domains, an
environment variable name, and an optional placeholder string, instead of a
service identifier.
@@ -220,6 +220,18 @@ $ sbx secret set-custom -g \
--value <secret>
```
Repeat `--host` to cover multiple domains with the same secret — useful when
an API is split across related hostnames or when two unrelated endpoints share
a credential:
```console
$ sbx secret set-custom -g \
--host api.example.com \
--host uploads.example.com \
--env API_KEY \
--value <secret>
```
> [!WARNING]
> Passing the secret as `--value <secret>` records it in your shell history
> and exposes it to other processes running as your user. Avoid pasting
@@ -228,8 +240,8 @@ $ sbx secret set-custom -g \
> on the command line.
Inside the sandbox, `API_KEY` is set to a generated placeholder (for example,
`sbx-cs-<rand>`). When a sandboxed process sends a request to
`api.example.com` and the placeholder appears anywhere in the request, the
`sbx-cs-<rand>`). When a sandboxed process sends a request to any of the
configured hosts and the placeholder appears anywhere in the request, the
proxy replaces it with the real value. The agent never sees the real secret.
Prefer the [service-based flow](#stored-secrets) whenever it's an option —