Docker container for CLI
Overview
In the directory ./docker there is a Docker configuration for running Passwork CLI in a containerized environment. This is useful for CI/CD pipelines in continuous integration systems.
Receiving
Clone the Python connector from GitHub, which contains the Docker directory:
- SSH
- HTTPS
git clone [email protected]:passwork-me/passwork-python.git
git clone https://github.com/passwork-me/passwork-python.git
Navigate to the Docker directory:
- shell
cd ./passwork-python/docker/
Building Docker image
- shell
docker build -t passwork-cli .
Using Docker container
Basic usage
Run the passwork-cli container, passing Passwork credentials via environment variables:
- shell
docker run -it --rm \
-e PASSWORK_HOST="https://your-passwork-instance.com" \
-e PASSWORK_TOKEN="your_access_token" \
-e PASSWORK_MASTER_KEY="your_master_key" \
passwork-cli exec --password-id "password_id" env
Using with Docker Compose
Copy and rename the file to docker-compose.yml based on the example:
- shell
# Edit docker-compose.yml if necessary
cp docker-compose.example.yml docker-compose.yml
Copy and rename the file to .env based on the example:
- shell
# Specify your credentials in .env
cp .env.example .env
Run using Docker Compose:
- shell
docker-compose run --rm passwork-cli exec --password-id "password_id" env
Example output
- shell
docker compose run --rm passwork-cli exec --password-id "67ff59139b0d5d96310084c5" env
WARN[0000] /opt/passwork-python-connector/docker/docker-compose.yaml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
HOSTNAME=d6ec78fda6e0
HOME=/home/passwork
GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D
PYTHON_SHA256=849da87af4df137710c1796e276a955f7a85c9f971081067c8f565d15c352a09
PASSWORK_REFRESH_TOKEN=YT7ldSSD4qjzqCzIKK/3dGdQyNwB2erODWN3AoVd14E=
PASSWORK_TOKEN=LzS8ABjoa3wlvE+bqVZXHuFsQlc7XmxKIp+9HMu+800=
TERM=xterm
PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG=C.UTF-8
PASSWORK_HOST=https://passwork.example.com
PASSWORK_MASTER_KEY=1lZyMBmT8Mqyj1cDcyiZHDZLHgyejvbMaUoohb1YYxuJnliDbdvgK8H4MWkSaXHZvqZyS9drsrZoOFbDVs5wBQ==
PYTHON_VERSION=3.11.12
PWD=/app
MONGODB_PASSWORD=P@ssw0rd
Examples
Retrieving a password and using it in a command:
- shell
docker run -it --rm \
-e PASSWORK_HOST="https://your-passwork.com" \
-e PASSWORK_TOKEN="your_token" \
-e PASSWORK_MASTER_KEY="your_master_key" \
passwork-cli exec --password-id "db_password_id" mysql -h db_host -u admin -p "$DB_PASSWORD" db_name
If client-side encryption is not used, remove the line — -e PASSWORK_MASTER_KEY="your_master_key" \
Direct API call:
- shell
docker run -it --rm \
-e PASSWORK_HOST="https://your-passwork.com" \
-e PASSWORK_TOKEN="your_token" \
-e PASSWORK_MASTER_KEY="your_master_key" \
passwork-cli api --method GET --endpoint "v1/vaults"
If client-side encryption is not used, remove the line — -e PASSWORK_MASTER_KEY="your_master_key" \
Using in Bitbucket Pipelines
Add the following block to bitbucket-pipelines.yml:
- shell
pipelines:
default:
- step:
name: Deploy with Passwork credentials
image: passwork-cli
script:
- passwork-cli exec --password-id "deploy_credentials" ./deploy.sh
services:
- docker
caches:
- docker
You can also use the Docker image directly from the container registry:
- shell
pipelines:
default:
- step:
name: Deploy with Passwork credentials
image: your-registry.com/passwork-cli:latest
script:
- passwork-cli exec --password-id "deploy_credentials" ./deploy.sh
Security considerations
- The Docker image runs as a non-root user, which enhances security;
- Secure environment variables must be used in CI/CD pipelines to store credentials.