With my current Vault docker compose file, I'm not able to login with my token which I've set as part of my docker compose file. When Vault container starts up - it provides his own root token to authenticate in vault server. And this keep on change whenever we bring up new container and developer has to note it down from the console every-time and use that token to login in Vault.
Instead of that I want to set as part of docker compose file - How can I do that.
Please find my docker compose file below:
version: '3'
services:
myvault:
image: vault
container_name: myvault
ports:
- "192.168.99.100:8200:8200"
environment:
VAULT_SERVER: "http://192.168.99.100:8200"
TOKEN: mysuper-secret-vault-token
volumes:
- ./file:/vault/file:rw
- ./config:/vault/config:rw
cap_add:
- IPC_LOCK
Using the Vault CLI, tokens are created by running the command vault token create.
Launch a web browser, and enter http://127.0.0.1:8200/ui in the address. The Vault server is uninitialized and sealed. Before continuing, the server's storage backend requires starting a cluster or joining a cluster.
First of all, root token should not be used for authentication for security reason as it can do anything.
the Vault team recommends that root tokens are only used for just enough initial setup (usually, setting up auth methods and policies necessary to allow administrators to acquire more limited tokens) or in emergencies, and are revoked immediately after they are no longer needed. If a new root token is needed, the operator generate-root command and associated API endpoint can be used to generate one on-the-fly.
Now, regarding root token creation, from the vault documentation:
there are only three ways to create root tokens:
- The initial root token generated at vault init time -- this token has no expiration
- By using another root token; a root token with an expiration cannot create a root token that never expires
- By using vault operator generate-root (example) with the permission of a quorum of unseal key holders
For your case, you may consider using using some other auth methods instead of token authentication, for example, the Userpass Auth Method.
Userpass Auth will allow you to setup the same pair of username/password for the same user role. You may create some script that will enable this auth mechanism and setup users for each initial setup of your server.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With