This is clearly a dumb question as I can’t find the answer but I’m confused about Hashicorp Vault and the way you get the secrets.
Part of the idea of Vault is that you can store your secrets in there and you don’t need to stick a bunch of sensitive things in environment variables which are inspectable.
Assuming you have a Vault service running somewhere with some secrets in it and you need to use a token to authenticate against Vault to get your secrets in your script inside your docker container, how does the token get in there? Surely if you use an environment variable, that defeats the point as someone could just take the token. Do you mount a volume with it in? Or something more inventive?