Docker container for CLI

Overview

In the directory ./docker there is a Docker configuration for running Passwork CLI in a containerized environment. This is useful for CI/CD pipelines in continuous integration systems.

Receiving

Clone the Python connector from GitHub, which contains the Docker directory:

SSH

git clone [email protected]:passwork-me/passwork-python.git

HTTPS

git clone https://github.com/passwork-me/passwork-python.git

Navigate to the Docker directory:

shell

cd ./passwork-python/docker/

Building Docker image

shell

docker build -t passwork-cli .

Using Docker container

Basic usage

Run the passwork-cli container, passing Passwork credentials via environment variables:

shell

docker run -it --rm \
  -e PASSWORK_HOST="https://your-passwork-instance.com" \
  -e PASSWORK_TOKEN="your_access_token" \
  -e PASSWORK_MASTER_KEY="your_master_key" \
  passwork-cli exec --password-id "password_id" env

Using with Docker Compose

Copy and rename the file to docker-compose.yml based on the example:

shell

# Edit docker-compose.yml if necessary
cp docker-compose.example.yml docker-compose.yml

Copy and rename the file to .env based on the example:

shell

# Specify your credentials in .env
cp .env.example .env

Run using Docker Compose:

shell

docker-compose run --rm passwork-cli exec --password-id "password_id" env

Example output

shell

docker compose run --rm passwork-cli exec --password-id "67ff59139b0d5d96310084c5" env
WARN[0000] /opt/passwork-python-connector/docker/docker-compose.yaml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion 
HOSTNAME=d6ec78fda6e0
HOME=/home/passwork
GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D
PYTHON_SHA256=849da87af4df137710c1796e276a955f7a85c9f971081067c8f565d15c352a09
PASSWORK_REFRESH_TOKEN=YT7ldSSD4qjzqCzIKK/3dGdQyNwB2erODWN3AoVd14E=
PASSWORK_TOKEN=LzS8ABjoa3wlvE+bqVZXHuFsQlc7XmxKIp+9HMu+800=
TERM=xterm
PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG=C.UTF-8
PASSWORK_HOST=https://passwork.example.com
PASSWORK_MASTER_KEY=1lZyMBmT8Mqyj1cDcyiZHDZLHgyejvbMaUoohb1YYxuJnliDbdvgK8H4MWkSaXHZvqZyS9drsrZoOFbDVs5wBQ==
PYTHON_VERSION=3.11.12
PWD=/app
MONGODB_PASSWORD=P@ssw0rd

Examples

Retrieving a password and using it in a command:

shell

docker run -it --rm \
  -e PASSWORK_HOST="https://your-passwork.com" \
  -e PASSWORK_TOKEN="your_token" \
  -e PASSWORK_MASTER_KEY="your_master_key" \
  passwork-cli exec --password-id "db_password_id" mysql -h db_host -u admin -p "$DB_PASSWORD" db_name

info

If client-side encryption is not used, remove the line — -e PASSWORK_MASTER_KEY="your_master_key" \

Direct API call:

shell

docker run -it --rm \
  -e PASSWORK_HOST="https://your-passwork.com" \
  -e PASSWORK_TOKEN="your_token" \
  -e PASSWORK_MASTER_KEY="your_master_key" \
  passwork-cli api --method GET --endpoint "v1/vaults"

info

If client-side encryption is not used, remove the line — -e PASSWORK_MASTER_KEY="your_master_key" \

Using in Bitbucket Pipelines

Add the following block to bitbucket-pipelines.yml:

shell

pipelines:
  default:
    - step:
        name: Deploy with Passwork credentials
        image: passwork-cli
        script:
          - passwork-cli exec --password-id "deploy_credentials" ./deploy.sh
        services:
          - docker
        caches:
          - docker

You can also use the Docker image directly from the container registry:

shell

pipelines:
  default:
    - step:
        name: Deploy with Passwork credentials
        image: your-registry.com/passwork-cli:latest
        script:
          - passwork-cli exec --password-id "deploy_credentials" ./deploy.sh

Security considerations

• The Docker image runs as a non-root user, which enhances security;
• Secure environment variables must be used in CI/CD pipelines to store credentials.