Vault with Docker Compose

Hi Team,

I am new to docker.Currently we are trying to launch vault using docker-compose.

Following is the setup we used to launch vault using docker container.Does this setup looks good or any changes needed.Can anyone please provide your suggestions.

Also i have one query, since i am using docker-compose, should i still configure the vault.service file or is it not needed.

Following is the vault-configuration file

listener “tcp” {
address = “”
tls_disable = “true”

storage “raft” {
path = “/vault/file”

cluster_addr = “
disable_mlock = “true”
ui = “true”

As per the content present in Docker Hub, prepared the following docker-compose file

version: ‘3.6’
image: vault:latest
container_name: vault
- “8201:8201”
- “8200:8200”
- vault-backend:/vault/file
- vault-logs:/vault/logs
- ./configs:/vault/config
- ./plugins:/vault/plugins
retries: 5
entrypoint: vault server -config=/vault/config/vault-config.hcl
driver: local
driver: local

You’re missing a lot of pieces. SSL certs, docker networking, the different instances cannot use the same config file as the node_id has to be different on each node. cluster_address needs to be reachable from other nodes.

Take a look at

It’s more for testing and doing the vault-guide lessons but it contains a lot of useful information for someone starting out.
There are various configuration. onboarding/docker-compose for docker-compose and opertions/raft-storage/local for just docker (using consul as the backend).

Thanks for the input Aram. This is very helpful.
I will add cert files in the listener section of the config file

tls_cert_file = “/vault/certs/.cer”
tls_key_file = “/vault/certs/.pem”
Currently we are planning to use only one node and later increase the nodes. In case if we increase the nodes, then definitely will have separate config file for each node.

For single node setup, does this docker-compose file looks good

As per the content in Docker Hub, vault will expose the volume /vault/file that has the persisted data.

Can we change this path?

Also is vault.service still need if we run vault through docker?

Thanks for the updated requirements.
Normally you cannot change the internal docker path, but you can map it to whatever path you wish on your host machine. In this case, you can, but shouldn’t, vault has no hard configurations for paths, so you can in theory map them to whatever path you want – I would recommend against it simply as it gains you nothing but adds complexity. The important path is on your host, not inside of a docker machine.

The left side is your host path and can be anything on your host, the right side is static and is inside of the docker machine.

Three notes on docker-compose:

  • it’s best-practice to use full paths on the left side (host side).
  • If it’s a directory mapping, map it with a “/” to denote that [ although directory mount is the default option, this visually tells the admin looking at it, the different between a file and a directory in the mapping.
  • Mark config files (and any other read resources) as read-only. This has fallen out of favor lately but I still think it’s a valid best-practice. Specially if you’re just starting out with docker.
      - vault-backend:/vault/file
      - vault-logs:/vault/logs
      - ./configs:/vault/config
      - ./plugins:/vault/plugins


      - /opt/vault/data/database:/vault:file
      - /opt/vault/logs/:/vault/logs/
      - /opt/vault/etc/:/vault/config/,ro
      - /opt/vault/plugins/:/vault/plugins/,ro

To answer your last question, no you don’t need a service file inside of a docker-compose you have a “entrypoint” in docker that starts the service.

Thanks aram. These are very helpful.

In my docker-compose file, the first two mappings under volumes section
- vault-backend:/vault/file
- vault-logs:/vault/logs
are docker named volumes as a result of which i haven’t given the full path. Should i give the full path incase of named volumes.

For remaining two(i.e mentioned below), i will definitely change.

  - ./configs:/vault/config
  - ./plugins:/vault/plugins

Yes, sorry I missed that they were volumes.
All bind mappings should have full paths.

Thanks Aram. Also is vault auto seal possible when vault is setup using docker.

Sure, one has nothing to do with the other. You can use a cloud provider or another vault instance to store your key in, to auto unseal.