Forum Discussion

skunkwerks's avatar
skunkwerks
New Member
6 hours ago

1password as a podman secrets backend

Work uses podman for running containers. Podman provides a secrets API for ... storing secrets.

It it written in go, and has a pluggable backend for secrets, although today it only ships with:

  • file
  • shell
  • gpg

We'd love to have a 1Password-enabled podman secrets backend as well.

Usage

Assume we are running multiple containers, A, B, C, each with their own 1Password Service Account, and its corresponding token. Each secret that a given container wishes to access, is defined via:

podman secret create --driver 1password \
  --driver-opts path=op://myVault/someItem/theKey,token=OP_SERVICE_ACCOUNT_TOKEN \
 THE_KEY \
  < /dev/null

Note that because we are relying on 1Password, the secret is not directly specified here, so just pass /dev/null in, if podman absolutely requires some input.

The container is then defined:

podman create ...  --secret THE_KEY,type=env ...

And at runtime when the container is (re)started each time 1Password is used to fetch THE_KEY secret, and podman will need the `OP_SERVICE_ACCOUNT_TOKEN` in the system environment to perform the fetching.

References

  • https://www.redhat.com/en/blog/podman-kubernetes-secrets
  • https://github.com/containers/podman/discussions/24186
  • https://www.redhat.com/en/blog/new-podman-secrets-comman
  • https://developer.1password.com/docs/service-accounts

  • https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html

feature request
integrations
sdk
secrets management
No RepliesBe the first to reply