Accessing vault via docker swarm

I need services in a docker swarm to retrieve secrets from vault. Is there a best practice for doing this? I see a k8s auth method, but nothing for docker swarm. Perhaps add a container to the stack which runs vault-agent, and pass it approle credentials as docker secrets? Or run vault-agent on each container in the stack?


Docker doesn’t have a built in RBAC system that something like Kubernetes has, so there wouldn’t be a way to delegate authentication like you have with the k8s auth method. Assuming you aren’t able to use any of the other similar auth methods (e.g. AWS) the main fallback is approle.

How you want to structure the use of Vault is then up to you. You could use the Vault agent or you could talk to Vault directly from you application. Which option depends on things like security posture (are you happy for credentials to be on disk or only in memory?) or development effort.