Search code examples
dockerhashicorp-vault

Authenticating Vault inside a script in your container

This is clearly a dumb question as I can't find the answer but I'm confused about Hashicorp Vault and the way you get the secrets.

Part of the idea of Vault is that you can store your secrets in there and you don't need to stick a bunch of sensitive things in environment variables which are inspectable.

Assuming you have a Vault service running somewhere with some secrets in it and you need to use a token to authenticate against Vault to get your secrets in your script inside your docker container, how does the token get in there? Surely if you use an environment variable, that defeats the point as someone could just take the token. Do you mount a volume with it in? Or something more inventive?

Solution

  • Some things to consider, in no particular order:

    • Yes, if an attacker can inspect attributes of a running application, they can likely read any secrets it has. It is quite difficult to create an application that is secure in the face of an attacker that has sufficient access to be able to poke around in the application itself
    • If an env var holds a token, that isn't a directly usable secret - the attacker then needs to use it to retrieve the actual secret from Vault. While this is achievable, it does present an extra step of difficulty
    • A token can be created with a limited lifetime, so that after some period, it is no longer possible to use it to retrieve a secret from Vault
    • A token can also be created with a limited number of uses (e.g., one). That means that as soon as the application has used it to retrieve a secret, the token is no longer usable
    • Vault supports other authentication mechanisms than raw tokens. For example, as mentioned by @davidmaze in a comment, if the application is running under Kubernetes then you could have Vault set up to authenticate with the k8s ServiceAccount (no direct token required)
    • An attacker having shell access in a container is not the only vector to protect from. Just keeping secrets out of source code (and especially source control) is a very important thing to do
    • Simple key/values are not the only kind of secrets Vault can manage. It can also auto-generate access tokens for AWS and credentials for Postgres, among many other features

    Regarding your direct question

    how does the token get in there?

    there are a variety of ways it can be done. Simply replacing the environment variable is one option, but it could also be mounted in a volume, passed as a parameter, provided with an API call, pulled from a database, or any other means that you can dream up. It all depends on your deployment process, threat model, risk assessment, application details, whether you can make use of one of the other authentication mechanisms, etc.