Setting up Hashicorp Vault with Docker

Photo by Markus Spiske on Unsplash

TL;DR This post is not about the concepts of Vault or how you can use the CLI, but is solely focused on getting a dockerized version of Hashicorp Vault up and running in a minute.

Let’s get straight to setting up a dockerized version of Vault that can be used for development.

Let’s start with creating the folder structure which we will mount later in Docker:

mkdir -p volumes/{config,file,logs}

Next let’s create the vault.json file in thevolumes/config folder with the following settings:

vault.json: Configuration for Vault Server

Here is a quick explanation of the above options:

• We use the file storage backend for our development server, which will use the path /vault/file in our container. We will be mounting this to our volumes/file on our host machine via the docker-compose.yaml in a moment.
• We configure a TCP listener on port 8200 for localhost and disable TLS. You can alternatively also specify 127.0.0.1:8200 as address here.

Last but not least let’s take care of the Docker compose file:

docker-compose.yaml: Vault Container Configuration

Here is a quick rundown of the most important configurations:

• We expose port 8200 on the same port on our localhost, so we can reach the Vault API at http://localhost:8200 and the Web UI at http://localhost:8200/ui
• We mount our previously created folders as volumes to the container, mapping every subfolder under volumes to the path vault
• We set cap_add to IPC_LOCK which is required in order for Vault to lock memory. Please refer to the official documentation for further details: https://github.com/docker-library/docs/tree/master/vault
• We set the entry point to run the vault server with the configuration specified at our mounted volume path /vault/config/vault.json which points to our config file from the previous step

Now we can start our Vault server by simply running

docker-compose up

Now that we have our Vault server up and running, let’s connect to it. The straightforward way is to use the Web UI, simply navigate to http://localhost:8200/ui and you can use the Web UI without any further configuration needed.

While the Web UI is nice, we might want to use the Vault CLI. You can download it for your OS of choice from the Vault Website. Make sure that you have it installed in a location which is included in your PATH or that you add it to your PATH.
By default the cli assumes that Vault is accessible at https://localhost:8200 . All we have to do is to set the variable VAULT_ADDR to our exposed port, if you haven’t changed anything you can do so by running the following command on MacOS and Linux:

export VAULT_ADDR='http://localhost:8200'

If you are using Windows, run the following (note: DO NOT put the address in quotation marks):

setx VAULT_ADDR http://localhost:8200

With this in place you can run any other command from the Vault CLI.

I have created a GitHub repository which contains all the files from this article along with a convenience bash script to automate the first two steps: https://github.com/SMK1085/vault-docker-dev

This is an example which is only meant to be run on local machines for development purposes. Please follow the recommendations at the Vault Website to securely deploy a version for production.