I am new to Vault and try to wrap my head around the following challenge:
I am running several services with docker-compose (not in Kubernetes, just plain Docker). Quite a few of these services are coming straight from Docker Hub and are maintained by others. In order to configure some of these services, I need to provide secrets (e.g. API keys or database credentials). For some of these services, it is done through environment variables, for some other services I need to provide the secrets in configuration files.
What is to best way to use Vault for managing these secrets? Can I inject secrets into environment variables or into configuration files somehow? Or is there a better way to deal with this scenario?
I am facing the same challenge while working on a side project. I have managed to run envconsul container to pull the secret from Vault and expose it as an environment variable.
I still didnât figure out how to populate the VAULT_TOKEN environment variable. The value is stored in a local file. Looking for a way to extract itâŚ
Thanks. I am aware of those options. Didnât find a good solution yet. The current approach, I took, is wrapping the docker-compose with a script which read the secret from VAULT without of envconsul. Any other ideas?
hi can you share the idea behind the script which reads the secrets from Vault , i am currently implementing something of similar sort , and looking for a better way to do so
The idea behind the script is:
One of the containers in my application is mysql database. Another one is vault.
I want to spin a dev environment with docker-compose which spins vault first and than pull the secrets required by mysql to spin it.
Does that make sense?
Even I want to do similar implementation. I am trying if I can update docker .env variables
by directly calling âvault kv get secret/âŚâ and use those same env vars in docker-compose.
after 2 years, I faced these challenges , I need encrypt sensitive information inside docker-compose.yaml file. means if other users access (ssh ) to host he is not view sensitive just with cat docker-compose.yaml .
and second when docker is run anybody cannot seen unencrypt password inside to container witch docker inspect or exec inside a container and seen all of env contain sensitive data .
I know docker secrets help me to solve seconded challenge but no complete solve seconded problems
This really has no connection to docker or docker-compose and is available in any setup. You can use transit engine in Vault to encrypt and decrypt any value.
The application can read the encrypted value from a KV secret and use the transit engine to decrypt it in memory so that it is never written to disk (inside or outside of the container).