Unhandled exception. System.UnauthorizedAccessException: Access to the path '/run/secrets/chargeampguard__uri' is denied

[AnderssonPeter]

Hi I'm trying to use your nuget, but I get a UnauthorizedAccessException when I start my container.
I'm using normal docker (No swarm or kubernetes).

version: "3.8"

secrets:
  chargeampguard__uri:
    file: ./guard-relay/secrets/chargeampguard_uri.secret
  chargeampguard__pin:
    file: ./guard-relay/secrets/chargeampguard_pin.secret

services:
  guard-relay:
    container_name: guard-relay
    image: "ghcr.io/anderssonpeter/guardrelay:${GUARDRELAY_VERSION}"
    environment:
      - Application__Application=/config/GuardRelay.sqlite
      - MQTT__Connection__Server=mosquitto
    secrets:
      - chargeampguard__uri
      - chargeampguard__pin
    volumes:
      - ./guard-relay/config:/config

Exception:

Unhandled exception. System.UnauthorizedAccessException: Access to the path '/run/secrets/chargeampguard__uri' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode, Boolean failForSymlink, Boolean& wasSymlink, Func`4 createOpenException)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, UnixFileMode openPermissions, Int64& fileLength, UnixFileMode& filePermissions, Boolean failForSymlink, Boolean& wasSymlink, Func`4 createOpenException)
   at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at System.IO.File.OpenRead(String path)
   at System.IO.Abstractions.FileWrapper.OpenRead(String path)
   at Mcrio.Configuration.Provider.Docker.Secrets.DockerSecretsConfigurationProvider.ProcessFile(String secretFilePath)
   at Mcrio.Configuration.Provider.Docker.Secrets.DockerSecretsConfigurationProvider.Load()
   at Microsoft.Extensions.Configuration.ConfigurationManager.AddSource(IConfigurationSource source)
   at Microsoft.Extensions.Configuration.ConfigurationManager.ConfigurationSources.Add(IConfigurationSource source)
   at Microsoft.Extensions.Configuration.ConfigurationManager.Microsoft.Extensions.Configuration.IConfigurationBuilder.Add(IConfigurationSource source)
   at Mcrio.Configuration.Provider.Docker.Secrets.DockerSecretsConfigurationExtension.AddDockerSecrets(IConfigurationBuilder configurationBuilder, String secretsDirectoryPath, String colonPlaceholder, ICollection`1 allowedPrefixes)
   at Program.<Main>$(String[] args) in /src/GuardRelay/Program.cs:line 16
   at Program.<Main>(String[] args)

Do you have any idea why?

[AnderssonPeter]

After some tinkering I managed to exec into my container, if I run ls -lah inside the /run/secrets directory I get the following:

total 24K
drwxr-xr-x  2 root root 4.0K Jan  8 20:11 .
drwxr-xr-x  1 root root 4.0K Jan  8 20:11 ..
-r--rwx---+ 1 root root    8 Jan  8 19:17 chargeampguard__pin
-r--rwx---+ 1 root root   22 Jan  8 19:17 chargeampguard__uri

if I run whoami inside the container I get app guessing that user does not have read permission on the secrets.

[AnderssonPeter]

After I gave the app user access to the file on the host it worked as expected