Difficulty: Intermediate
Estimated Time: 15-20 minutes

In this scenario, we'll access secrets stored in Hashicorp Vault from a Docker Container. To access the stored secrets, the container is configured to use a Volume Driver called LibSecret. The Volume Driver communicates with Vault meaning the applications don't require any additional configuration to access the secrets.

The aim is to stop using environment variables for passwords. The use of environment variables can lead to accentually leaking keys to untrusted applications or storage. Instead, you can store them securely in Vault and access them via the file-system when required.

What is Hashicorp Vault

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log. More details can be found at https://github.com/hashicorp/vault/

Important

This scenario is designed for educational purposes and not production usage.

In this scenario, we explored how to read secrets from Hashicorp Vault by using a Docker Volume Driver called LibSecret.

By reading them as files on risk we reduce the risk of accentually exposing secrets unlike environment variables. In future scenarios we'll explore what happens if a key or token is compromised.

Don’t stop now! The next scenario will only take about 10 minutes to complete.

Read Vault Secrets from Docker Containers

Step 1 of 4

Step 1 - Start Vault

The first step is to start an instance of Vault. We explained the details of Vault in our Store Secrets using Hashicorp Vault scenario.

We've created some helper scripts to start Vault. To configure the environment run the following commands.

Configure Vault

The first script launches the Consul and Vault containers ./start-vault.sh

The Vault starts sealed meaning you can read/write data. Use the helper script to unseal the vault ./unseal-vault.sh. If this errors, it's because Vault is still initialising.

The final stage is to obtain the access token; this is outputted when we initialised and unsealed the vault.

export VAULT_TOKEN=$(grep 'Initial Root Token:' keys.txt | awk '{print substr($NF, 1, length($NF)-1)}')

By logging in we can now start storing and persisting data vault auth -address=${VAULT_ADDR} ${VAULT_TOKEN}

After running the commands Vault and your environment have been configured.