Injecting secrets: end-to-end example

This article presents a step-by-step guide for testing Prisma Cloud’s secret manager. You will set up HashiCorp Vault, store a secret in it, inject the secret into a running container, then validate that it can be seen from within the container.

Setting up Vault

Set up HashiCorp Vault in development mode.
  1. Unzip the package, then copy the vault executable to a directory in your PATH.
  2. Verify that vault is installed. Run the following command:
    $ vault -help
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  3. Start Vault in development mode.
    $ vault server -dev -dev-listen-address='<VAULT_HOST_IPADDR>:8200' ==> WARNING: Dev mode is enabled! In this mode, Vault is completely in-memory and unsealed. Vault is configured to only have a single unseal key. The root token has already been authenticated with the CLI, so you can immediately begin using the Vault CLI. The only step you need to take is to set the following environment variables: export VAULT_ADDR='http://10.240.0.53:8200' The unseal key and root token are reproduced below in case you want to seal/unseal the Vault or play with authentication. Unseal Key: Hb0dBfYh3ieHRmf28ohu5xh0DKfmP4aNa8JS5/jNsWQ= Root Token: 29e3e12b-09b4-af6c-6e87-cbd9fbcb51bd
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Storing a secret in HashiCorp Vault

Store a secret in Vault.
  1. Open a shell and ssh to the host running Vault.
  2. Set the Vault address in your environment.
    $ export VAULT_ADDR='http://<VAULT_HOST_IPADDR>:8200'
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  3. Create a secret.
    For Vault 0.10 or later:
    vault kv put secret/mySecret1 "pass=1234567"
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    For Vault 0.9.x or older:
    $ vault write secret/mySecret1 "pass=1234567"
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  4. Read the secret back to validate it was properly stored.
    For Vault 0.10 or later:
    $ vault kv get secret/mySecret1
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    For Vault 0.9.x or older:
    $ vault read secret/mySecret1
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Integrating Prisma Cloud and Vault

Creating a rule in Console

Validating the secret is injected

Start a container and verify that your secret is properly injected.
+ The same procedure can be followed for injecting secrets in Kubernetes cluster. Make sure Kubernetes uses dockerd and Prisma Cloud runs in local socket mode.
Prerequisites:
Defender must be running on the machine where you start your container.
  1. Start a container:
    $ docker run -ti ubuntu /bin/bash
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  2. Validate your secrets have been injected into this container.
    If you injected your secrets as environment variables, run:
    # printenv
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    If you injected your secrets as files, run:
    # ls /run/secrets # cat /run/secrets/<SECRET_NAME>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  3. Exit the shell inside the container.
    # exit
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  4. If your secrets are injected as environment variables, validate that they are encrypted when you run docker inspect.
    Start a container, and run it in the background:
    $ docker run -dit ubuntu /bin/bash <CONTAINER_ID>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    $ docker inspect <CONTAINER_ID>
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Recommended For You