Docker is used in many CI/CD piplines and accessing your private repositories should be made possible in a secure way. Using username and password for this is bad since these credentials have way to broad permissions. Access tokens on the other hand cannot change the password for an account and they can be restricted to specific namespaces thereby having a tighter scope than your username and password.
To use the plugin you must rigster it. See the Hashicorp Vault documentation for the steps needed. The Makefile
provides steps to test locally.
First configure the credentials for the DockerHub account you want credentials from:
vault write dockerhub/config/$USERNAME password=$PASSWORD scopes=$SCOPE
where scopes is a comma separated list with the following valid values:admin, write, read, public_read
.
ttl
is optional. If it is not provided it will be set to the default ttl
which is 5 minutes.
You can read the permissions using
vault read dockerhub/config/$USERNAME
The password will not be shown. Also it is not possible to update en existing configuration but a new one can be created. No validity checks are made when the config is written aside from validating the scopes.
Tokens issued by Vault will be revoked automatically after the ttl
has expired. To issue a token run:
vault write dockerhub/token/$SCOPE label=$TOKEN_LABEL
By having scope as part of the path it is possible to restrict which scopes vault users are allowed to create credentials for.