[Config Support]: Docker secrets do not work

[ptr727]

Describe the problem you are having

Hi, new user, setting up config, standard practice using docker secrets, but they do not seem to work.

I found a previous discussion where it was indicated that support for secrets was added.

Docs state only vars as documented can be used in config.

In my testing I found that using docker secrets for FRIGATE_ vars do not work as expected, i.e. go2rtc complains about missing config, and RTSP connects fail.

If instead of docker secrets I hard code the FRIGATE_ vars in docker compose, things work as expected.

Am I using docker secrets wrong, are they not supported, or maybe broken?

Version

0.15-1

Frigate config file

# https://docs.frigate.video/configuration/reference/

# TODO: Is there a way to use substitutions other than documented FRIGATE_ for e.g. email and camera auth?
# https://github.com/blakeblackshear/frigate/discussions/17346

version: 0.15-1

auth:
  reset_admin_password: false

mqtt:
  enabled: true
  host: mosquitto.home.insanegenius.net
  # user: {FRIGATE_MQTT_USER}
  # password: {FRIGATE_MQTT_PASSWORD}

cameras:
  garage:
    enabled: true
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.24:554/axis-media/media.amp?streamprofile=detect
          roles:
            - detect
        - path: rtsp://127.0.0.1:8554/garage
          input_args: preset-rtsp-restream
          roles:
            - record
    detect:
      enabled: true
    record:
      enabled: true
  driveway:
    enabled: true
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.5:554/axis-media/media.amp?streamprofile=detect
          roles:
            - detect
        - path: rtsp://127.0.0.1:8554/driveway
          input_args: preset-rtsp-restream
          roles:
            - record
    detect:
      enabled: true
    record:
      enabled: true
  backyard:
    enabled: true
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.31:554/axis-media/media.amp?streamprofile=detect
          roles:
            - detect
        - path: rtsp://127.0.0.1:8554/backyard
          input_args: preset-rtsp-restream
          roles:
            - record
    detect:
      enabled: true
    record:
      enabled: true
  frontdoor:
    enabled: true
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.4:554/axis-media/media.amp?streamprofile=detect
          roles:
            - detect
            - audio
        - path: rtsp://127.0.0.1:8554/frontdoor
          input_args: preset-rtsp-restream
          roles:
            - record
    audio:
      enabled: true
    detect:
      enabled: true
    record:
      enabled: true
  musicroom:
    enabled: true
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.13:554/axis-media/media.amp?streamprofile=detect
          roles:
            - detect
            - audio
        - path: rtsp://127.0.0.1:8554/musicroom
          input_args: preset-rtsp-restream
          roles:
            - record
    audio:
      enabled: false
    detect:
      enabled: true
    record:
      enabled: true
  livingroom:
    enabled: true
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.23:554/axis-media/media.amp?streamprofile=detect
          roles:
            - detect
            - audio
        - path: rtsp://127.0.0.1:8554/livingroom
          input_args: preset-rtsp-restream
          roles:
            - record
    audio:
      enabled: false
    detect:
      enabled: true
    record:
      enabled: true
  frontsteps:
    enabled: true
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.25:554/axis-media/media.amp?streamprofile=detect
          roles:
            - detect
            - audio
        - path: rtsp://127.0.0.1:8554/frontsteps
          input_args: preset-rtsp-restream
          roles:
            - record
    audio:
      enabled: false
    detect:
      enabled: true
    record:
      enabled: true

go2rtc:
  rtsp:
    username: "{FRIGATE_GO2RTC_RTSP_USERNAME}"
    password: "{FRIGATE_GO2RTC_RTSP_PASSWORD}"
  streams:
    garage:
      - rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.24:554/axis-media/media.amp?streamprofile=record
    driveway:
      - rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.5:554/axis-media/media.amp?streamprofile=record
    backyard:
      - rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.31:554/axis-media/media.amp?streamprofile=record
    frontdoor:
      - rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.4:554/axis-media/media.amp?streamprofile=record
    musicroom:
      - rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.13:554/axis-media/media.amp?streamprofile=record
    livingroom:
      - rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.23:554/axis-media/media.amp?streamprofile=record
    frontsteps:
      - rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@192.168.1.25:554/axis-media/media.amp?streamprofile=record

#genai:
#  api_key: "{FRIGATE_GENAI_API_KEY}"

birdseye:
  enabled: true
  restream: true

record:
  enabled: true
  alerts:
    retain:
      days: 90
  detections:
    retain:
      days: 90

notifications:
  enabled: true
  email: [email protected]

Relevant Frigate log output

2025-06-09 19:24:28.605325458  [2025-06-09 12:24:28] ffmpeg.frontdoor.audio         ERROR   : [tcp @ 0x5ddcde164200] Port missing in uri
2025-06-09 19:24:28.605346810  [2025-06-09 12:24:28] ffmpeg.frontdoor.audio         ERROR   : [in#0 @ 0x5ddcde162d40] Error opening input: Invalid argument
2025-06-09 19:24:28.605367612  [2025-06-09 12:24:28] ffmpeg.frontdoor.audio         ERROR   : Error opening input file rtsp://*:*@192.168.1.4:554/axis-media/media.amp?streamprofile=detect.
2025-06-09 19:24:28.605385138  [2025-06-09 12:24:28] ffmpeg.frontdoor.audio         ERROR   : Error opening input files: Invalid argument

Relevant go2rtc log output

na

Frigate stats

No response

Operating system

Debian

Install method

Docker Compose

docker-compose file or Docker CLI command

networks:

  public_network:
    name: ${PUBLIC_NETWORK_NAME}
    external: true

  local_network:
    name: ${LOCAL_NETWORK_NAME}
    external: true

secrets:

   frigate_rtsp_password:
     file: ${SECRETS_DIR}/frigate_rtsp_password.txt


services:

  # https://docs.frigate.video/frigate/installation
  # https://github.com/blakeblackshear/frigate
  frigate:
    image: ghcr.io/blakeblackshear/frigate:stable # stable-h8l
    container_name: frigate
    hostname: frigate
    domainname: ${DOMAIN_NAME}
    restart: unless-stopped
    user: root
    shm_size: 2g
    #devices:
    # https://coral.ai/software/#debian-packages
    # https://github.com/google/gasket-driver
    #  - /dev/apex_0
    #  - /dev/apex_1
    # https://github.com/hailo-ai/hailort-drivers
    # https://github.com/blakeblackshear/frigate/blob/dev/docker/hailo8l/user_installation.sh
    #  - /dev/hailo0
    environment:
      - TZ=${TZ}
      - FRIGATE_RTSP_USER=viewer
      - FRIGATE_RTSP_PASSWORD=Password1 #/run/secrets/frigate_rtsp_password
      - FRIGATE_GO2RTC_RTSP_USERNAME=viewer
      - FRIGATE_GO2RTC_RTSP_PASSWORD=Password1 #/run/secrets/frigate_rtsp_password
    volumes:
      - ${APPDATA_DIR}/frigate/config:/config
      - ${APPDATA_DIR}/frigate/data:/media/frigate
      - type: tmpfs
        target: /tmp/cache
        tmpfs:
          size: 2g
    #ports:
    #  - 5000:5000 # Unauthenticated
    #  - 8971:8971 # Authenticated
    #  - 8554:8554 # RTSP feeds
    #  - 8555:8555/tcp # WebRTC over tcp
    #  - 8555:8555/udp # WebRTC over udp
    networks:
      public_network:
        ipv4_address: ${FRIGATE_IP}
        mac_address: ${FRIGATE_MAC}
      local_network:
    labels:
      - traefik.enable=true
      - traefik.http.routers.frigate.rule=HostRegexp(`^frigate${DOMAIN_REGEX}$$`)
      - traefik.http.services.frigate.loadbalancer.server.scheme=https
      - traefik.http.services.frigate.loadbalancer.server.port=8971
    secrets:
       - frigate_rtsp_password

Object Detector

CPU (no coral)

Screenshots of the Frigate UI's System metrics pages

No response

Any other information that may be helpful

No response

[NickM-27]

The docker secret file has to be capitalized, it is definitely working as the implementation has not changed since it was implemented.

You can get a shell in the container and run this python to match what should be seen

from pathlib import Path

if os.path.isdir("/run/secrets"):
    for secret_file in os.listdir("/run/secrets"):
        if secret_file.startswith("FRIGATE_"):
            print(f"found secret as {secret_file} with value {Path(os.path.join("/run/secrets", secret_file)).read_text()

[ptr727]

I don't think I understand how this implementation is supposed to work?

In my experience docker secrets as environment variables will point to a file instead of a value, so implementers check if the value is a file, and if the value is a file use the contents of the file as value, else use the value as is.
Or another common pattern is the use of _FILE for variables, e.g. FRIGATE_RTSP_PASSWORD=value or FRIGATE_RTSP_PASSWORD_FILE=file_containing_value.

This code looks like it is looking for secret files for each variable matching the variable name?
Can you point to a working compose example file where this is used?

E.g. something like?

secrets:
   frigate_rtsp_password:
     file: ${SECRETS_DIR}/FRIGATE_RTSP_PASSWORD

Or

secrets:
   FRIGATE_RTSP_PASSWORD:
     file: ${SECRETS_DIR}/frigate_rtsp_password.txt

[NickM-27]

This is generally all done with docker, so you would run printf "my super secret password" | docker secret create FRIGATE_RTSP_PASSWORD - and then that variable would be available to you in the container

[ptr727]

I see, so these are treated like native docker CLI secrets, not environment variables per se, they just have the same name as the environment variables, got it.

I tested:

secrets:
  FRIGATE_RTSP_PASSWORD:
     file: ${SECRETS_DIR}/frigate_rtsp_password.txt
  FRIGATE_GO2RTC_RTSP_PASSWORD:
     file: ${SECRETS_DIR}/frigate_go2rtc_rtsp_password.txt

services:
  frigate:
    environment:
      - TZ=${TZ}
      - FRIGATE_RTSP_USER=viewer
      # /run/secrets/FRIGATE_RTSP_PASSWORD
      - FRIGATE_GO2RTC_RTSP_USERNAME=viewer
      # /run/secrets/FRIGATE_GO2RTC_RTSP_PASSWORD
    secrets:
       - FRIGATE_RTSP_PASSWORD
       - FRIGATE_GO2RTC_RTSP_PASSWORD

And it works, well, mostly.

go2rtc:
  rtsp:
    username: {FRIGATE_GO2RTC_RTSP_USERNAME}
    password: {FRIGATE_GO2RTC_RTSP_PASSWORD}

Results in:

2025-06-09 20:19:35.471816680  [INFO] Preparing new go2rtc config...
Traceback (most recent call last):
  File "/usr/local/go2rtc/create_config.py", line 103, in <module>
    go2rtc_config["rtsp"]["username"] = go2rtc_config["rtsp"]["username"].format(
AttributeError: 'CommentedMap' object has no attribute 'format'
2025-06-09 20:19:35.706191761  [INFO] The go2rtc service exited with code 1 (by signal 0)

Have to quote naked environment variables, yet when in a string they seem to work.

Works:

go2rtc:
  rtsp:
    username: "{FRIGATE_GO2RTC_RTSP_USERNAME}"
    password: "{FRIGATE_GO2RTC_RTSP_PASSWORD}"