Docker is used in many CI/CD piplines and accessing your private repositories should be made possible in a secure way. Using username and password for this is bad since these credentials have way to broad permissions. Access tokens on the other hand cannot change the password for an account and they can be restricted to specific namespaces thereby having a tighter scope than your username and password.

To use the plugin you must rigster it. See the Hashicorp Vault documentation for the steps needed. The Makefile provides steps to test locally.

First configure the credentials for the DockerHub account you want credentials from:

vault write dockerhub/config/$USERNAME password=$PASSWORD scopes=$SCOPE

where scopes is a comma separated list with the following valid values:admin, write, read, public_read.

ttl is optional. If it is not provided it will be set to the default ttl which is 5 minutes.

You can read the permissions using

vault read dockerhub/config/$USERNAME

The password will not be shown. Also it is not possible to update en existing configuration but a new one can be created. No validity checks are made when the config is written aside from validating the scopes.

Tokens issued by Vault will be revoked automatically after the ttl has expired. To issue a token run:

vault write dockerhub/token/$SCOPE label=$TOKEN_LABEL

By having scope as part of the path it is possible to restrict which scopes vault users are allowed to create credentials for.