I have a base docker image which is used to run image analysis software. For each container created from an image, there is a set of configuration options, some of which are secrets (encryption keys, client information, etc.) that are used by the software to analyze and distribute the processed images. 

How can I securely pass these secrets to the container?

You have 3 ways to get application secrets inside a docker container. The first 2 are related to setting up docker. The last thing is that your apps should directly get the secrets from the secret store.

1 – environment variables

According to the “12 Factor App” guide , secrets are just configuration and should always be set in the environment. You can set your secrets as environment variables during docker startup and your application will access them from there.

2 – Installed volumes

You can store all your secrets in a specific config/secrets file and then mount them to your instance as a mounted volume .

3 – selection from a secret store

You can use Hashicorp Vault (or “Amazon Secrets Manager” or any other similar service).
Your application or additional application can directly obtain the secrets it needs without having to configure a Docker container. This method will allow you to use dynamically generated secrets (a very attractive feature of such systems) and not have to worry about secrets that can be viewed from the file system or inspected by env variables of the docker container.

Personal opinion

I believe env variables are the way to go. It’s easier to manage and you can still pull from a secret vault like Hashicorp Vault if you have a CI build system, pull the secrets at build time and install them on deployment. You get the best of both worlds and the added benefit of your developers not having to write application code to extract secrets.