rahoogan/dsv

By rahoogan

Updated 8 months ago

Mount secrets from remote secrets managers into docker volumes

Plugin
Security
Developer Tools
0

7

Docker Secrets Volume Plugin

An extensible docker volume plugin to manage remote secrets. Enables secrets to be mounted as volumes into containers.

Currently works with AWS Secrets Manager.

1. Installation

Install from dockerhub using the managed docker plugin system:

docker plugin install --alias dsv rahoogan/dsv

2. Configure

Configure the plugin with your AWS credentials:

docker plugin disable rahoogan/dsv

docker plugin set rahoogan/dsv AWS_ACCESS_KEY_ID="YOUR AWS KEY"
docker plugin set rahoogan/dsv AWS_SECRET_ACCESS_KEY="YOUR AWS SECRET"
docker plugin set rahoogan/dsv AWS_REGION="us-east-2"
# Optional - if using localstack for example
docker plugin set rahoogan/dsv AWS_ENDPOINT_URL="http://172.17.0.2:4566"
# Optional - to enable debug logging
docker plugin set rahoogan/dsv DEBUG=1

docker plugin enable rahoogan/dsv

3. Run it!

# Create a secret in secrets manager
$ aws secrets-manager create-secret --name mysecret --secret-string "dontlookatme!"

# Mount the secret as a volume in a container
$ docker run --rm --volume-driver dsv -v mysecret:/run/secrets/hello ubuntu cat /run/secrets/hello
dontlookatme!

# Alternatively, you could also use the --mount option
$ docker run --rm --mount type=volume,volume-driver=dsv,src=mysecret,target=/run/secrets/mysecret ubuntu cat /run/secrets/mysecret
dontlookatme!

4. Security

DON'T USE THIS ON A SHARED SYSTEM!

The secrets managed by the plugin are stored on a docker managed container. So anyone who can run docker commands can see your secrets.

Also, it’s trivial to just inspect the plugin to get the stored AWS credentials:

docker plugin inspect dsv -f "{{ .Settings.Env }}"
[DEBUG=1 AWS_ACCESS_KEY_ID=<YOUR_AWS_KEY> AWS_SECRET_ACCESS_KEY=<YOUR_AWS_SECRET> AWS_REGION=us-east-2 AWS_ENDPOINT_URL=http://172.17.0.2:4566]

So yeah, just make sure you use this on a development or local machine where only you have access, or where docker access is managed via an authorization plugin.

Docker Pull Command

docker plugin install rahoogan/dsv