rahoogan/dsv
Mount secrets from remote secrets managers into docker volumes
7
An extensible docker volume plugin to manage remote secrets. Enables secrets to be mounted as volumes into containers.
Currently works with AWS Secrets Manager.
Install from dockerhub using the managed docker plugin system:
docker plugin install --alias dsv rahoogan/dsv
Configure the plugin with your AWS credentials:
docker plugin disable rahoogan/dsv
docker plugin set rahoogan/dsv AWS_ACCESS_KEY_ID="YOUR AWS KEY"
docker plugin set rahoogan/dsv AWS_SECRET_ACCESS_KEY="YOUR AWS SECRET"
docker plugin set rahoogan/dsv AWS_REGION="us-east-2"
# Optional - if using localstack for example
docker plugin set rahoogan/dsv AWS_ENDPOINT_URL="http://172.17.0.2:4566"
# Optional - to enable debug logging
docker plugin set rahoogan/dsv DEBUG=1
docker plugin enable rahoogan/dsv
# Create a secret in secrets manager
$ aws secrets-manager create-secret --name mysecret --secret-string "dontlookatme!"
# Mount the secret as a volume in a container
$ docker run --rm --volume-driver dsv -v mysecret:/run/secrets/hello ubuntu cat /run/secrets/hello
dontlookatme!
# Alternatively, you could also use the --mount option
$ docker run --rm --mount type=volume,volume-driver=dsv,src=mysecret,target=/run/secrets/mysecret ubuntu cat /run/secrets/mysecret
dontlookatme!
DON'T USE THIS ON A SHARED SYSTEM!
The secrets managed by the plugin are stored on a docker managed container. So anyone who can run docker
commands can see your secrets.
Also, it’s trivial to just inspect the plugin to get the stored AWS credentials:
docker plugin inspect dsv -f "{{ .Settings.Env }}"
[DEBUG=1 AWS_ACCESS_KEY_ID=<YOUR_AWS_KEY> AWS_SECRET_ACCESS_KEY=<YOUR_AWS_SECRET> AWS_REGION=us-east-2 AWS_ENDPOINT_URL=http://172.17.0.2:4566]
So yeah, just make sure you use this on a development or local machine where only you have access, or where docker access is managed via an authorization plugin.
docker plugin install rahoogan/dsv