How to pass Vault secrets to a docker container as arguments?

shamigit · March 24, 2020, 6:39pm

Hello,

I’m trying to create docker containers with nomad docker driver. This docker container needs vault secrets to execute my task. How do i pass these vault secrets to docker container during container spin-up.
Vault secrets are defined in the template.data stanza (heredoc) in the below nomad job spec. But how do i pass the same variables as docker run arguments $HOSTNAME, $USERNAME?

group "execute" {
    task "executor" {
      driver = "docker"
      config {
        image = "repos.images.com/apple_image:0.1"
        args = [ 
            $HOSTNAME,
            $USERNAME
         ]
        template {
         data = <<EOF
{{ with secret "secret/mysecrets/apple_secrets" }}
USERNAME = "{{ .Data.username }}"
HOSTNAM = "{{ .Data.hostnam }}"
{{ end }}
        EOF
        destination = "secrets/vault.env"
        env = true
        perms = "600"
      }
    }
}
vault {
    policies = ["apple_policy"]
    change_mode   = "signal"
    change_signal = "SIGUSR1"
 }

Thanks in advance!

SunSparc · October 6, 2021, 12:28am

You could mount the vault.env file into the container. Here is an example:

task "executor" {
  driver = "docker"
  config {
    image = "repos.images.com/apple_image:0.1"
    volumes = [
      "secrets/vault.env:/path/inside/docker/image/vault.env",
    ]
  }
  template {
    data = <<EOF
      {{ with secret "secret/mysecrets/apple_secrets" }}
        USERNAME = "{{ .Data.username }}"
        HOSTNAME = "{{ .Data.hostname }}"
      {{ end }}
    EOF
    destination = "secrets/vault.env"
  }
}