Azure DNS LE challenge using _FILE

Traefik Traefik v3 (latest)
1

I managed to set up the LE DNS challenge using AzureDNS. However, I'd like to make use of the _FILE-suffix values to prevent secrets from being visible in docker's ENV properties.

I assume if I use _FILE I don't need to use the regular parameters and that these files need to be accessible by Traefik (i.e. if it's a docker-based setup then I need to map the file to the container). I did all that. I even verified that the files exist in the container and confirmed the contents.

Here was my setup:
docker-compose.yml:

services:

  traefik:
    image: "traefik:v3.1"
    container_name: "traefik"
    env_file:
      - ./azuredns/.env
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt/:/letsencrypt/"
      - "./traefik.yml:/etc/traefik/traefik.yml"
      - "./services/:/services/"
      - "./azuredns/:/azuredns/"
      - "/var/log/traefik/:/var/log/traefik/"

networks:
  default:
    name: traefik-proxy
    external: true

azuredns/.env:

AZURE_SUBSCRIPTION_ID=redacted
AZURE_TENANT_ID=redacted
AZURE_CLIENT_ID=redacted
AZURE_CLIENT_SECRET_FILE=/azuredns/azuresecret
AZURE_RESOURCE_GROUP=redacted

Finally there's the azuredns/azuresecret file with the secret itself.

Alas, when I tried to do that I'd get errors about missing AZURE_CLIENT_SECRET. Technically true - I did not provide the AZURE_CLIENT_SECRET, but rather the AZURE_CLIENT_SECRET_FILE...

ERR Unable to obtain ACME certificate for domains error="cannot get ACME client azuredns: discover DNS zones: DefaultAzureCredential: failed to acquire a token.
Attempted credentials:
    EnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set
    WorkloadIdentityCredential: no token file specified. Check pod configuration or set TokenFilePath in the options
    ManagedIdentityCredential: managed identity timed out. See https://aka.ms/azsdk/go/identity/troubleshoot#dac for more information
    AzureCLICredential: Azure CLI not found on path
    AzureDeveloperCLICredential: Azure Developer CLI not found on path"
ACME CA=https://acme-staging-v02.api.letsencrypt.org/directory acmeCA=https://acme-staging-v02.api.letsencrypt.org/directory domains=["*.domain.com","domain.com"] providerName=le-staging.acme routerName=to-sup@file rule=Host(`sup.domain.com`)

Any idea what I am doing wrong?