Injecting secrets: end-to-end example
This article presents a step-by-step guide for testing Prisma Cloud’s secret manager.
You will set up HashiCorp Vault, store a secret in it, inject the secret into a running container, then validate that it can be seen from within the container.
Setting up Vault
Set up HashiCorp Vault in development mode.
- Download Vault from https://www.vaultproject.io/downloads.html.
- Unzip the package, then copy the vault executable to a directory in your PATH.
- Verify that vault is installed. Run the following command:$ vault -helpStart Vault in development mode.$ vault server -dev -dev-listen-address='<VAULT_HOST_IPADDR>:8200' ==> WARNING: Dev mode is enabled! In this mode, Vault is completely in-memory and unsealed. Vault is configured to only have a single unseal key. The root token has already been authenticated with the CLI, so you can immediately begin using the Vault CLI. The only step you need to take is to set the following environment variables: export VAULT_ADDR='http://10.240.0.53:8200' The unseal key and root token are reproduced below in case you want to seal/unseal the Vault or play with authentication. Unseal Key: Hb0dBfYh3ieHRmf28ohu5xh0DKfmP4aNa8JS5/jNsWQ= Root Token: 29e3e12b-09b4-af6c-6e87-cbd9fbcb51bd
- Open a shell and ssh to the host running Vault.
- Set the Vault address in your environment.$ export VAULT_ADDR='http://<VAULT_HOST_IPADDR>:8200'Create a secret.For Vault 0.10 or later:vault kv put secret/mySecret1 "pass=1234567"For Vault 0.9.x or older:$ vault write secret/mySecret1 "pass=1234567"Read the secret back to validate it was properly stored.For Vault 0.10 or later:$ vault kv get secret/mySecret1For Vault 0.9.x or older:$ vault read secret/mySecret1
Storing a secret in HashiCorp Vault
Store a secret in Vault.