Using Vault with docker-compose file

Rumesh Eranga Hapuarachchi picture Rumesh Eranga Hapuarachchi · Jul 18, 2017 · Viewed 20.5k times · Source

Currently I am using docker-compose file to setup my dev/prod environments. I am using environment variables to store secrets, database credentials etc. After some search, I found out that Vault can be used to secure the credentials. I tried couple of basic examples with vault, but still I have no idea of how to use Vault with a docker-compose file. Can someone point me to a correct way. If Vault is not a good solution with docker-compose, what are the mechanisms I could use to secure credentials rather than storing them in environment as plain text.

Answer

StampyCode picture StampyCode · Jul 25, 2017

This is my current docker-compose config for using Vault in dev, but I use dedicated servers (not Docker) in production.

# docker_compose.yml
version: '2'
services:
    myvault:
        image: vault
        container_name: myvault
        ports:
          - "127.0.0.1:8200:8200"
        volumes:
          - ./file:/vault/file:rw
          - ./config:/vault/config:rw
        cap_add:
          - IPC_LOCK
        entrypoint: vault server -config=/vault/config/vault.json

The volume mounts ensure the vault config is saved if you have to rebuild the container.

To use the 'file' backend, to make this setup portable for Docker/Git, you will also need to create a directory called config and put this file into it, named vault.json:

# config/vault.json
{
  "backend": {"file": {"path": "/vault/file"}},
  "listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}},
  "default_lease_ttl": "168h",
  "max_lease_ttl": "0h"
}

Notes:
Although the ROOT_TOKEN is static in this configuration (will not change between container builds), any generated VAULT_TOKEN issued for an app_role will be invalidated every time the vault has to be unsealed.

I have found the Vault sometimes becomes sealed when the container is restarted.