We are interested in using Hashicorp's Vault for storing and giving access to secrets (API keys, access to databases, etc).

Vault provides a method called a wrapped token where a process will communicate with vault to retrieve a temporary token. This token is then passed to each task. Each task then exchanges this token for a more permanent token and performs leasing and renewing secrets with vault independently.

In our case, we would like to have our process generate a list of these temporary tokens and then use the swarm api to create a service while including these tokens. Each container would then just get 1 token as an environment variable.