Docker Community Forums

Share and learn in the Docker community.

Docker and Azure Key Vault

Hi all,

We’re currently using docker (no K8s, Swarm etc, just docker-compose) to run some containers. This is still in its infancy for us, and we will look at orchestration in the future. As a pre-requ for this, we need to move to a secrets management solution. Currently, we just pass in things via an environment file:

...
        env_file: /etc/docker/filename.env
        networks:
            macvlan1103:
...

This works fine, but obviously isn’t ideal.

Now, we’d like to use Azure Key Vault if possible, but I can’t see anything that suggests how you use Key Vault and docker-compose. I can see various guides on using Key Vault with Azure containers, but not our own on-premise containers.

Is this something that

  • a) is it even possible?
  • b) how would we do it/what’s the syntax?

I’ve found this example for Hashicorp’s Vault, but nothing for Azure’s.

environment:
      - VAULT_ADDR=http://localhost:8200
      - VAULT_API_ADDR=http://0.0.0.0:8200
      - SKIP_SETCAP=true
      - SKIP_CHOWN=true```

Thanks,
Joe

My current solution is to use an environment variable with the access token.

Get the key and store in environment variable (after you did an az login and set the correct subscription):

$Env:ACCESS_TOKEN=(az account get-access-token  --resource=https://vault.azure.net | ConvertFrom-Json).accessToken

The we add that environment variable in Visual Studio: enter image description here

Change the code to:

                config.AddEnvironmentVariables();

                KeyVaultClient keyVaultClient;
                var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");

                if (accessToken != null)
                {
                    keyVaultClient = new KeyVaultClient(
                        async (string a, string r, string s) => accessToken);
                }
                else
                {
                    var azureServiceTokenProvider = new AzureServiceTokenProvider();
                    keyVaultClient = new KeyVaultClient(
                       new KeyVaultClient.AuthenticationCallback(
                           azureServiceTokenProvider.KeyVaultTokenCallback));
                }

                config.AddAzureKeyVault(
                    $"https://{builtConfig["KeyVaultName"]}.vault.azure.net/",
                    keyVaultClient,
                    new DefaultKeyVaultSecretManager());