> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-devin-1781641701-docs-github-pat-fine-grained.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Docker Run

> Learn how to pass secrets to your docker container at run time.

This method allows you to feed secrets from Infisical into your container using the `--env-file` flag of `docker run` command.
Rather than giving the flag a file path to your env file, you'll use the Infisical CLI to create a virtual file path.

For this method to function as expected, you must have a bash shell (for processing substitution) and the [Infisical CLI](../../cli/overview) installed in the environment where you will be running the `docker run` command.

## 1. Authentication

If you are already logged in via the CLI you can skip this step. Otherwise, head to your organization settings in Infisical Cloud to create a [Machine Identity](../../documentation/platform/identities/machine-identities). The machine identity will allow you to authenticate and fetch secrets from Infisical.
Once you have created a machine identity with the required permissions, you'll need to feed the token to the CLI.

<Info>
  Please note that we highly recommend using `infisical login` for local development.
</Info>

#### Pass as flag

You may use the --token flag to set the token

```bash theme={null}
infisical export --token=<>
```

#### Pass via shell environment variable

The CLI is configured to look for an environment variable named `INFISICAL_TOKEN`. If set, it'll attempt to use it for authentication.

```bash theme={null}
export INFISICAL_TOKEN=<>
```

You can use the `infisical login --method=universal-auth` command to directly obtain a universal auth access token and set it as an environment variable.

```bash theme={null}
  export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<your-client-id> --client-secret=<your-client-secret> --silent --plain)
```

<Warning>
  In production scenarios, please to avoid using the `infisical login` command and instead use a [machine identity](../../documentation/platform/identities/machine-identities).
</Warning>

## 2. Run your docker command with Infisical

Next, use the --env-file flag of the `docker run` command with Infisical CLI to point to your secrets.
Under the hood, this command will fetch secrets from Infisical and serve them as a file to the `--env-file` flag.

```bash theme={null}
# In this example, executing a docker run command will initiate an empty Alpine container and display the environment variables passed to it by Infisical.
docker run --rm --env-file <(infisical export --format=dotenv) alpine printenv
```

To view all options of the `export` command, click [here](../../cli/commands/export)

<Warning>
  When using the --env-file option, Docker does not have the capability to support secrets that span multiple lines.
</Warning>
