I have a PHP application which runs via the docker container. There is a script which communicates with vault for decrypt few of the config keys. The decrypt api - $VAULT_ADDR/v1/transit/decrypt/$VAULT_TRANSIT_KEY is working fine. I have hardcoded in the value in the vault token (copied the token directly after logging into vault). But now I want to generate a new token and renew the token in the script and use that token in the decrypt API.
I am using curl for the api $VAULT_ADDR/v1/auth/token/create to create token but the token is not able to decrypt the keys - saying permission denied
I also tried to install vault through yum inside docker container and tried using login --method=oidc -token-only -no-store for token creation. But the vault is not getting recognized
You should’t hardcode any secrets. If you run in kubernetes you could use a workload identity for authentication with Vault, e.g. native K8s auth method, or JWT.
This comes down to what environment you run in and how you launch your docker image. A key concept with docker is the image is “immutable” and anything that may change ( ie: configuration ) is injected at runtime.
One way is to generate the token outisde, for example - the script used to launch it - and pass it in as en env ( -e VAULT_TOKEN=xxxx ) and it becomes accessible inside the container. This removes the need for vault in the image. Of course, in this scenario, you will need to launch a new container with the new token, and stop the older one. This implies a little more infrastructure like a loadbalancer or proxy in front.
With “just docker”, another way is to place it in a file in the local fielsystem, and give docker access to it. You then just need to again, generate outside and have it loaded.
If you are in a kubernetes environment - you can setup k8s auth and use a service account token. But simpler is to keep injecting the token as k8s secrets making it available to the image as a file - that again you need ot be able to reload.