Skip to content

Docker Container Environment Variable Not Injected from Pulumi Config (envs argument)** #1468

New issue
New issue
Open
Open
Docker Container Environment Variable Not Injected from Pulumi Config (envs argument)**#1468
Labels
needs-reproNeeds repro steps before it can be triaged or fixed
@markusbaettig

Description

@markusbaettig
markusbaettig
opened on Jun 17, 2025

Describe what happened

Pulumi Docker Provider Bug Report: Environment Variable Not Injected

Title

Docker Container Environment Variable Not Injected from Pulumi Config (envs argument)

Environment

  • Pulumi Version: (e.g. 3.x.x)
  • Pulumi Docker Provider Version: (e.g. 4.x.x)
  • OS: Windows 11 (with WSL2, if applicable)
  • Project Language: Python
  • Docker Version: (e.g. 24.x)
  • Stack: (e.g. dev)
  • Relevant Pulumi config file: Pulumi.qpc.yaml

Description

When deploying a Docker container with the Pulumi Docker provider and setting an environment variable via the envs argument (using a value from pulumi.Config), the environment variable is always empty inside the running container, even though the value is present in Pulumi config and the code.

Steps to Reproduce

  1. Pulumi config file (Pulumi.qpc.yaml):

    config:
  jarvis:OPENAI_API_KEY: sk-xxxxxxx

  2. Pulumi Python code:

    import pulumi
import pulumi_docker as docker

def create_stack():
    openai_api_key = pulumi.Config('jarvis').require('OPENAI_API_KEY')
    container = docker.Container(
        "test-container",
        image="alpine:latest",
        name="test-container",
        envs=[
            f"OPENAI_API_KEY={openai_api_key}",
            "FOO=bar"
        ],
        # ... other args ...
    )

  3. Run:

    pulumi up --yes
docker exec -it test-container printenv | grep OPENAI_API_KEY

  4. Observed result:

    OPENAI_API_KEY=

    (Should be the value from config, but is always empty.)

Expected Behavior

The environment variable OPENAI_API_KEY should be set inside the container with the value from Pulumi config.

Actual Behavior

The environment variable is present but always empty inside the container, regardless of whether it is hardcoded or injected via Pulumi config.

Additional Info

  • This happens even if the variable is hardcoded in the envs list.
  • Other environment variables (e.g., FOO=bar) are set correctly.
  • The issue persists across stack refresh, container recreation, and Pulumi CLI upgrades.
  • No errors are reported by Pulumi or Docker.

Minimal Reproducible Example

Please see code and config above.

Screenshots/Logs

(Attach relevant logs or screenshots if possible.)

Workarounds Tried

  • Hardcoding the value in envs (no effect)
  • Moving the variable to the top of the list (no effect)
  • Using both plaintext and secret config values (no effect)
  • Recreating the container and stack (no effect)

Impact

This blocks the use of secrets and API keys in Docker containers managed by Pulumi.

Thank you for your help!

Sample program

  1. Pulumi config file (Pulumi.qpc.yaml):

    config:
  jarvis:OPENAI_API_KEY: sk-xxxxxxx

  2. Pulumi Python code:

    import pulumi
import pulumi_docker as docker

def create_stack():
    openai_api_key = pulumi.Config('jarvis').require('OPENAI_API_KEY')
    container = docker.Container(
        "test-container",
        image="alpine:latest",
        name="test-container",
        envs=[
            f"OPENAI_API_KEY={openai_api_key}",
            "FOO=bar"
        ],
        # ... other args ...
    )

Log output

```
pulumi up --yes
docker exec -it test-container printenv | grep OPENAI_API_KEY
```
  1. Observed result: 
    OPENAI_API_KEY=
    (Should be the value from config, but is always empty.)

Affected Resource(s)

  • Pulumi Version: (e.g. 3.x.x)
  • Pulumi Docker Provider Version: (e.g. 4.x.x)
  • OS: Windows 11 (with WSL2, if applicable)
  • Project Language: Python
  • Docker Version: (e.g. 24.x)
  • Stack: (e.g. dev)
  • Relevant Pulumi config file: Pulumi.qpc.yaml

Output of pulumi about

Enter your passphrase to unlock config/secrets
CLI
Version 3.175.0
Go Version go1.24.3
Go Compiler gc

Plugins
KIND NAME VERSION
resource command 1.1.0
resource docker 4.7.0
language python 3.175.0

Host
OS Microsoft Windows 11 Pro
Version 10.0.26100 Build 26100
Arch x86_64

This project is written in python: executable='C:\Users\marku\scoop\apps\python\current\python.exe' version='3.13.5'

Current Stack: organization/ki-infra/minimal-test

TYPE URN
pulumi:pulumi:Stack urn:pulumi:minimal-test::ki-infra::pulumi:pulumi:Stack::ki-infra-minimal-test
pulumi:providers:docker urn:pulumi:minimal-test::ki-infra::pulumi:providers:docker::default_4_7_0
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::duckdb-data
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::openwebui-data
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::traefik-certificates-volume
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::ollama-data
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::chromadb-data
pulumi:providers:command urn:pulumi:minimal-test::ki-infra::pulumi:providers:command::default_1_1_0
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-datalake-prefect-image
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-datalake-jupyter-image
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::datalake-data
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::mkdir-monitoring-prometheus-.-services-monitoring-docker
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-monitoring-grafana-image
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::mkdir-config-loki
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-monitoring-loki-image
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::prometheus-volume
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::grafana-volume
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::loki-volume
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::mkdir-config-llmorchestration
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::ollama-volume
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::litellm-volume
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-datalake-duckdb-image
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-frontend-openwebui-image
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::openwebui-volume
docker:index/volume:Volume urn:pulumi:minimal-test::ki-infra::docker:index/volume:Volume::chromadb-volume
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-neurosearch-chromadb-image
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::run-network-unifier
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::install-docker-sdk
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::copy-config-monitoring-prometheus-.-services-monitoring-config-prometheus.yml
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::copy-config-llmorchestration
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::copy-config-loki
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::build-monitoring-prometheus-image
docker:index/network:Network urn:pulumi:minimal-test::ki-infra::docker:index/network:Network::jarvis-network
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::monitoring-prometheus
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::monitoring-grafana
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::reflector-traefik
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::datalake-duckdb
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::llmorchestration-litellm
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::datalake-jupyter
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::llm-ollama
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::datalake-prefect
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::frontend-openwebui
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::copy-prometheus-config
command:local:Command urn:pulumi:minimal-test::ki-infra::command:local:Command::restart-prometheus
docker:index/container:Container urn:pulumi:minimal-test::ki-infra::docker:index/container:Container::test-nginx

Found no pending operations associated with minimal-test

Backend
Name qpc
URL file://~
User QPC\marku
Organizations
Token type personal

Dependencies:
NAME VERSION
docker 7.1.0
librosa 0.11.0
openai-whisper 20240930
pillow 11.0.0
psutil 7.0.0
pulumi_command 1.1.0
pulumi_docker 4.7.0
py3nvml 0.2.7
pydub 0.25.1

Pulumi locates its logs in C:\Users\marku\AppData\Local\Temp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-reproNeeds repro steps before it can be triaged or fixed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions