Enable userpass in vault Docker

Question

I have the following docker-compose for Vault

vault:
  container_name: vault
  hostname: vault
  image: vault:1.0.0
  restart: always
  ports:
    - "8200:8200"
  cap_add:
    - IPC_LOCK
  environment:
    VAULT_ADDR: http://127.0.0.1:8200
    VAULT_DEV_ROOT_TOKEN_ID: my_token

I can connect to it using hvac python client like so:

hvac.Client(url='http://localhost:8200', token='my_token')

However, I'd like to connect using the username and password. My question is, how can I spin the Vault docker container with enabled userpass and some user I can then use?

Basically, would like to get this working:

hvac_client = hvac.Client(url="http://localhost:8200")
hvac_client.auth_userpass(username="myusername", password="mypassword")

These are the commands I should(?) to run somehow using docker-compose after the image spins up:

vault auth enable userpass
vault write auth/userpass/users/myusername password=mypassword policies=vault-quickstart-policy

But not sure how. This is the official image I am using https://github.com/hashicorp/docker-vault

Answer 1

In case it is for integration testing, it's ok to do it with a provision script that uses vault cli. You can run it after your container has started. Use the healthcheck of your container or its status to know if it has started, then run a docker exec command or an exec statement in your docker-compose file to run your script that will do the necessary to activate your authentication method

Answer 2

This is a large subject to cover. You have to be careful not to leak passwords in any config you write.

This post explains a way to provision vault and has a handy GitHub repo behind it to fork and configure

This post discusses techniques for capturing your Vault policies and configurations in source control, providing repeatable workflows, continuous integration of policy testing, and much more.