From b13c695c8100db6202829bbc7c246b16c233017c Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Wed, 18 Mar 2026 16:13:42 -0400
Subject: [PATCH] dockerfile: ensure user directive gets set for vault alpine
 and ubi containers (#12920) (#13080)

* update user directive for dockerfile

run as vault user by default

* add changelog

* also set the user to vault in ent dockerfile

* update changelog

* add the user directive in the Dockerfile of the repo root

it is the one used for production builds

* remove user directive from build stage, add user directive to alpine stage

Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 Dockerfile                | 4 +++-
 changelog/_12920.txt      | 3 +++
 scripts/docker/Dockerfile | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changelog/_12920.txt

diff --git a/Dockerfile b/Dockerfile
index 0f5006fba4..5086d65ae7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -73,6 +73,8 @@ EXPOSE 8200
 COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+# Use the Vault user as the default user for starting this container.
+USER ${NAME}
 
 # # By default you'll get a single-node development server that stores everything
 # # in RAM and bootstraps itself. Don't use this configuration for production.
@@ -166,7 +168,7 @@ COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.s
 ENTRYPOINT ["docker-entrypoint.sh"]
 
 # Use the Vault user as the default user for starting this container.
-USER vault
+USER ${NAME}
 
 # # By default you'll get a single-node development server that stores everything
 # # in RAM and bootstraps itself. Don't use this configuration for production.
diff --git a/changelog/_12920.txt b/changelog/_12920.txt
new file mode 100644
index 0000000000..2b4bfa8566
--- /dev/null
+++ b/changelog/_12920.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+dockerfile: container will now run as vault user by default
+```
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
index 62ad403f25..a2ff6fd848 100644
--- a/scripts/docker/Dockerfile
+++ b/scripts/docker/Dockerfile
@@ -61,6 +61,9 @@ EXPOSE 8200
 COPY ./scripts/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 ENTRYPOINT ["docker-entrypoint.sh"]
 
+# Use the Vault user as the default user for starting this container.
+USER vault
+
 # By default you'll get a single-node development server that stores everything
 # in RAM and bootstraps itself. Don't use this configuration for production.
 CMD ["server", "-dev"]