Hashicorp Vault - Django query from docker container

Question

Good afternoon,

I have a two docker containers, one running a django app and the other running Hashicorp Vault as I am starting to play with Vault in a dev environment.

I am using HVAC from a django view to write a secret to the vault that is entered by a user to set up an integration to a REST API for a data pull.

When I run the following from my host machine, it writes just fine.

client_write = hvac.Client(url='http://127.0.0.1:8200', token='MY_TOKEN')
client_write.is_authenticated()

When I run the same from the Django container, it fails with:

requests.exceptions.ConnectionError: HTTPConnectionPool(host='127.0.0.1', port=8200): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f2a21990610>: Failed to establish a new connection: [Errno 111] Connection refused'))

Django docker container is running on localhost:8000 & the vault is localhost:8200. I also have a front end written in VueJS running on localhost:8080 that has no trouble communicating back and forth with the django rest API (django-rest-framework).

Is there something in vault that I need to list where the queries can come from?

EDIT: Also, I have used both my purpose built tokens with policies that allow writing of the secrets in question along with the following perms input (per https://github.com/hashicorp/vault/issues/781 ):

path "auth/token/lookup-self" {
    capabilities = ["read"]
} 

path "auth/token/renew-self" {
    capabilities = ["update"]
}

Furthermore, the same behavior occurs when testing with the root token and the purpose built tokens work from the host system.

Vault Config:

{
  "listener":  {
    "tcp":  {
      "address":  "0.0.0.0:8200",
      "tls_disable":  "true"
    }
  },
  "backend": {
    "file": {
      "path": "/vault/file"
    }
  },
  "default_lease_ttl": "240h",
  "max_lease_ttl": "720h",
  "ui": true,
  "api_addr": "http://0.0.0.0:8200",
}

Thank you, I am very new to Vault and am struggling through it a bit.

BCBB

Answer 1

OK, so I neglected to provide enough relevant information in my first post due to my not understanding. Thanks to the reference to networking in compose in the comment above, I started down a path.

I realize now that I have each element in a different docker-compose: project_ui/docker-compose for the VueJS front end, project_api/ for the Django & Postgres, and then project_vault for the hashicorp vault container.

To enable these to talk, I followed the guidance here: Communication between multiple docker-compose projects

I created a network in the django app, and then linked the other containers to it as described in that answer.

Thanks.