It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Feature Request - Access vault from inside docker container
Background At our work, we spawn a Docker container that contains the tooling required to build our Yocto-based OS image. We want to pull a key from our shared 1Password vault and inject it into our...
1P_Phil
Moderator
ModeratorHi sethraymond ,
Thanks for the request.
I'm curious has the team explored using Service Accounts?
Service accounts let your container pull secrets directly from the vault in a non-interactive way. The CLI supports them out of the box, but so do the recently introduced SDKs.
Docs: https://developer.1password.com/docs/service-accounts/
SDKs: https://developer.1password.com/docs/sdks (Go, TS & Python)
Let me know if this works for you.
Thanks!
Phil & the 1Password team
Hi 1P_Phil , thanks for the quick reply! We do use a service account for our Jenkins integration. I'm not sure that a service account is appropriate for this use case, though. We'd have to give each of the developers either their own unique service account (not ideal), or we'd have to share the same service account token, which is also not ideal. Unless you're suggesting we build the service account token into our Docker image, which would be doable if we're extremely careful about doing that securely.
My preference would be to just be able to have developers authenticate as themselves as they go and pull secrets from the vault, but if you have a clearer picture as to how a service account could solve this problem, I'm all ears. I can also try to clarify the problem a bit more if that helps.
Could you use a service-account and add the token as a docker secret?
If you add the service-account password itself to 1Password, and give your developers access to it, the docker secret can be generated on build time by fetching the password from 1password by the developer that builds it and added to the container on demand.Our workflow is to have an image published to our internal Docker registry. Developers and our CI system pull the image down and run the container. My preference would to not have a secret baked into the image, as we now have to deal with the extra headache of image security.
It would also mean that developers (outside of our team) who have access to the Docker registry but don't have a 1Password account, would have "access" to 1Password. I'm not totally sure we want that loophole.
Hi 1P_Phil , just wanted to follow up and see if there's something about your proposed service accounts that I'm not understanding properly.
1P_Phil bump
