Secrets for docker-compose services

I am new to Vault and try to wrap my head around the following challenge:

I am running several services with docker-compose (not in Kubernetes, just plain Docker). Quite a few of these services are coming straight from Docker Hub and are maintained by others. In order to configure some of these services, I need to provide secrets (e.g. API keys or database credentials). For some of these services, it is done through environment variables, for some other services I need to provide the secrets in configuration files.

What is to best way to use Vault for managing these secrets? Can I inject secrets into environment variables or into configuration files somehow? Or is there a better way to deal with this scenario?

For injecting the secrets into files you could use Vault Agent Templates:

And vaultenv from
seams to be similar to the known envconsul for using environment variables.

I am facing the same challenge while working on a side project. I have managed to run envconsul container to pull the secret from Vault and expose it as an environment variable.
I still didn’t figure out how to populate the VAULT_TOKEN environment variable. The value is stored in a local file. Looking for a way to extract it…

Thanks. I am aware of those options. Didn’t find a good solution yet. The current approach, I took, is wrapping the docker-compose with a script which read the secret from VAULT without of envconsul. Any other ideas?

1 Like

This may help…

1 Like

hi can you share the idea behind the script which reads the secrets from Vault , i am currently implementing something of similar sort , and looking for a better way to do so

The idea behind the script is:
One of the containers in my application is mysql database. Another one is vault.
I want to spin a dev environment with docker-compose which spins vault first and than pull the secrets required by mysql to spin it.
Does that make sense?

Even I want to do similar implementation. I am trying if I can update docker .env variables
by directly calling “vault kv get secret/…” and use those same env vars in docker-compose.