Authenticating Vault inside a script in your container

This is clearly a dumb question as I can’t find the answer but I’m confused about Hashicorp Vault and the way you get the secrets.

Part of the idea of Vault is that you can store your secrets in there and you don’t need to stick a bunch of sensitive things in environment variables which are inspectable.

Assuming you have a Vault service running somewhere with some secrets in it and you need to use a token to authenticate against Vault to get your secrets in your script inside your docker container, how does the token get in there? Surely if you use an environment variable, that defeats the point as someone could just take the token. Do you mount a volume with it in? Or something more inventive?

There are a variety of ways to do this… its secure introduction of a way to get a service/server/etc into Vault to get the secret it needs.
AppRole is one way, AWS auth (ie, use IAM or EC2 metadata to trust a server), Vault Agent (setup the agent on an instance securely, then the apps talk locally to that agent only under a defined policy), etc.
Take a look here - and see if that answers your question

That odd occurrence when you ask a question on a forum and a twitter acquaintance replies! Unless there are 2 @mikegreen 's at Hashicorp.

Thanks Mike that link was very useful, I’ll dig into that and see what I can concoct.


Oh, hey, Tom! Good to hear from you.
Only one of us mikegreen’s here, so far.
Funny timing, I just cleaned out a few forks of Saiku in Github over the weekend. Small world. There’s still a few hundred thousand securities being priced everyda by a can-and-string implementation of mondrian+saiku in a really big bank from back then :slight_smile:

Take a gander at as well if you’re heading towards the Kubernetes world. The agent-injector has had a bit of traction lately, though, for good or bad there are numerous ways to auth instances… At image build time, pipeline, post deployment, etc.