Secrets for docker-compose services

I am new to Vault and try to wrap my head around the following challenge:

I am running several services with docker-compose (not in Kubernetes, just plain Docker). Quite a few of these services are coming straight from Docker Hub and are maintained by others. In order to configure some of these services, I need to provide secrets (e.g. API keys or database credentials). For some of these services, it is done through environment variables, for some other services I need to provide the secrets in configuration files.

What is to best way to use Vault for managing these secrets? Can I inject secrets into environment variables or into configuration files somehow? Or is there a better way to deal with this scenario?

For injecting the secrets into files you could use Vault Agent Templates: https://www.vaultproject.io/docs/agent/template/index.html

And vaultenv from https://github.com/channable/vaultenv
seams to be similar to the known envconsul for using environment variables.

1 Like

I am facing the same challenge while working on a side project. I have managed to run envconsul container to pull the secret from Vault and expose it as an environment variable.
I still didn’t figure out how to populate the VAULT_TOKEN environment variable. The value is stored in a local file. Looking for a way to extract it…

Thanks. I am aware of those options. Didn’t find a good solution yet. The current approach, I took, is wrapping the docker-compose with a script which read the secret from VAULT without of envconsul. Any other ideas?

1 Like

This may help…

1 Like

hi can you share the idea behind the script which reads the secrets from Vault , i am currently implementing something of similar sort , and looking for a better way to do so

The idea behind the script is:
One of the containers in my application is mysql database. Another one is vault.
I want to spin a dev environment with docker-compose which spins vault first and than pull the secrets required by mysql to spin it.
Does that make sense?

Even I want to do similar implementation. I am trying if I can update docker .env variables
by directly calling “vault kv get secret/…” and use those same env vars in docker-compose.

I am new to Vault sorry,

after 2 years, I faced these challenges , I need encrypt sensitive information inside docker-compose.yaml file. means if other users access (ssh ) to host he is not view sensitive just with cat docker-compose.yaml .
and second when docker is run anybody cannot seen unencrypt password inside to container witch docker inspect or exec inside a container and seen all of env contain sensitive data .
I know docker secrets help me to solve seconded challenge but no complete solve seconded problems

This really has no connection to docker or docker-compose and is available in any setup. You can use transit engine in Vault to encrypt and decrypt any value.

The application can read the encrypted value from a KV secret and use the transit engine to decrypt it in memory so that it is never written to disk (inside or outside of the container).