How to generate and renew vault token inside docker container

I have a PHP application which runs via the docker container. There is a script which communicates with vault for decrypt few of the config keys. The decrypt api - $VAULT_ADDR/v1/transit/decrypt/$VAULT_TRANSIT_KEY is working fine. I have hardcoded in the value in the vault token (copied the token directly after logging into vault). But now I want to generate a new token and renew the token in the script and use that token in the decrypt API.

I am using curl for the api $VAULT_ADDR/v1/auth/token/create to create token but the token is not able to decrypt the keys - saying permission denied

I also tried to install vault through yum inside docker container and tried using login --method=oidc -token-only -no-store for token creation. But the vault is not getting recognized

can someone please help me with this?

Thanks in advance.

You should’t hardcode any secrets. If you run in kubernetes you could use a workload identity for authentication with Vault, e.g. native K8s auth method, or JWT.

This comes down to what environment you run in and how you launch your docker image. A key concept with docker is the image is “immutable” and anything that may change ( ie: configuration ) is injected at runtime.

One way is to generate the token outisde, for example - the script used to launch it - and pass it in as en env ( -e VAULT_TOKEN=xxxx ) and it becomes accessible inside the container. This removes the need for vault in the image. Of course, in this scenario, you will need to launch a new container with the new token, and stop the older one. This implies a little more infrastructure like a loadbalancer or proxy in front.

With “just docker”, another way is to place it in a file in the local fielsystem, and give docker access to it. You then just need to again, generate outside and have it loaded.

If you are in a kubernetes environment - you can setup k8s auth and use a service account token. But simpler is to keep injecting the token as k8s secrets making it available to the image as a file - that again you need ot be able to reload.

1 Like

Thank you for your help. it worked!

1 Like