Docker Image

Docker Secrets Management

Features

• Pass secret credentials from the Keeper Vault to Docker images

• Build Docker Images with secret credentials from the Keeper Vault using build arguments

• Copy files from the Keeper vault into Docker containers

Prerequisites

This page documents the Secrets Manager Docker Image b Actions integration. In order to utilize this integration, you will need:

• Keeper Secrets Manager access (See the for more details)

  • Secrets Manager addon enabled for your Keeper account

  • Membership in a Role with the Secrets Manager enforcement policy enabled

About

The Secrets Manager CLI can be used to pull secrets from a Docker image at runtime, or it can be used by building it into the docker image. Several use cases are described in this document.

Example 1: Build an Image with Secrets using BuildKit

Secrets from the Keeper Vault can be built into a Docker container using . As of Docker 18.09 or later, image building supports the ability to pass secrets in via a mounted file system. As a simple example demonstrating this capability, we will be creating a user account in the destination image with a username and password from Keeper Secrets Manager.

Step 1: Set Environmental Variables with Keeper notation for the secrets that are needed. For more notation examples .

Step 2: Using the ksm exec command, the Docker build is created with the 2 secrets (login and password). The --secret parameters will pull values from the environmental variables that have been substituted with Keeper secrets.

Step 3: In the dockerfile, we will create a linux user account using useradd and then set the password with chpasswd. The Docker file is below:

In this example, each secret is mounted as a file. The 'dst' value specifies where you want to temporarily store the secret. Once the RUN command is finished, the temporary file will be removed and unmounted. You can either pass the file name as an argument or in this case we are using cat $(/path/to/secret) to read the file contents into a variable.

Example 2: Build an Image with Secrets using Build Arguments

Similar to example 1, you can pass in secrets via the --build-arg. This example will also demonstrate the ability of using secrets in a Docker build process.

Step 1: Set Environmental Variables with Keeper notation for the secrets that are needed. For more notation examples .

Step 2: Using the ksm exec command, the Docker build is created with the 2 secrets (login and password). The flag --inline processes the replacement of secrets. For example:

Step 3: In the dockerfile, we will create a linux user account using useradd and then set the password with chpasswd. The Docker file is below:

​To prevent secrets being sent to stdout from the printenv command, use the --null option to remove the line feed.

Example 3: Using docker-compose to Build an Image with Secrets

In this example, we will use docker-compose to build an image. Docker-compose cannot populate build args from environment variables. To replace notation with secret values, the build args need to be set via the command line. Since the notation will be on the command line, the --inline replacement flag needs to be set.

Step 1: Create a simple docker-compose.yaml file:

Step 2: Using the ksm exec command, the Docker build is created with the 2 secrets (login and password). The flag --inline processes the replacement of secrets. For example:

Step 3: In the dockerfile, we will create a linux user account using useradd and then set the password with chpasswd. The Docker file is below:

​To prevent secrets being sent to stdout from the printenv command, use the --null option to remove the line feed.

Example 4: Copy files from vault to Docker Image

In this real world example, we copy an SSL certificate and passphrase from the Keeper Vault to a Tomcat container.

By default, the official Tomcat docker contains a default server configuration that does not have SSL enabled. We are going build a custom image that installs our server.xml, copies over the keystore file, and enables SSL. The server.xml file also contains the secret passphrase for the keystore file.

Step 1: Create a Keeper Secret Record

In the Keeper Vault, create a secret record that contains 2 file attachments: server.xml and localhost-rsa.jks as seen below:

Make note of the Record UID in the information dialog which will be used in the dockerfile. Click the Record UID to copy to your clipboard.

Step 2: Create the dockerfile

The below dockerfile example copies the server.xml and keystore files from the vault into the Tomcat folder.

Note that in this use case, ksm is no longer needed after the build, so it is deleted.

Step 3: Create a shell script to execute the docker build

To execute the docker build the below script will pass in the Secrets Manager device configuration and Record UID that contains the secret files.

When the docker image is built, it will be fully configured with SSL, keystore file and passphrase that are managed by the Keeper Vault. 😃😃😃

Integration with Docker Compose

Keeper Secrets Manager supports direct integration with Docker Compose using the KSM Writer Docker image.

Learn more about the KSM Writer Docker image .

Contribute to the Docker Image Examples

If you have some great examples to contribute to this page, please ping us on Slack or email [email protected].