This Services provides actions for communicating with a Vault Server. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. The goal of this package is to provide actions for accessing and managing secrets using a connected vault server.
The following List details which features are implemented
- Connect to the Vault on startup
- Obtain the health status of the Vault
- Mount Management
- Write, Read and Delete Secrets from the Vault
The following List details which features will potentially be implemented
- Seal and Unseal the Vault
- Audit Management
- Auth Management
- Policy Management
This package is available in the npm-registry. In order to use it simply install it with yarn (or npm):
yarn add moleculer-vaultTo make use of this Service, simply require it and create a new service:
let { ServiceBroker } = require("moleculer");
let VaultService = require("moleculer-vault");
let broker = new ServiceBroker({ logger: console });
// Create a service
broker.createService({
mixins: VaultService,
settings: {
endpoint: "http://my-vault:8200",
}
});
// Start server
broker.start().then(() => broker.call('vault.health'));For a more indepth example checkout out the examples folder. It includes a docker-compose file, running docker-compose up will boot a broker with a vault service and a vault server.
All vault service actions are exposed on the API (which you should never do in real live!!!). You can run curl http://localhost:3000/vault/health for example.
This project includes a published postman collection enabling you to quickly explore the service in your local environment.
| Property | Type | Default | Description |
|---|---|---|---|
apiVersion |
String |
required | Which API Version of the Vault to use. |
endpoint |
String |
required | Where to find the Vault. |
token |
String |
null |
Which token to use for authenticating against the Vault |
waitForInitializationAttempts |
Number |
required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by default request the initialization status up to 5 times |
waitForInitializationInterval |
Number |
required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by wait for 1 second before requesting the initialization status again |
Obtain the Vaults Health.
| Property | Type | Default | Description |
|---|---|---|---|
| No input parameters. |
Type: Object
The Vaults Health Status.
Obtain all mounts of the Vault
| Property | Type | Default | Description |
|---|---|---|---|
| No input parameters. |
Type: Array.<Object>
Mount a new secret store at a given path
| Property | Type | Default | Description |
|---|---|---|---|
mount_point |
String |
required | Specifies the path where the secrets engine will be mounted. |
type |
String |
required | Specifies the type of the backend, such as "aws". |
description |
String |
- | Specifies the human-friendly description of the mount. |
config |
Object |
- | Specifies configuration options for this mount. |
options |
Object |
- | Specifies mount type specific options that are passed to the backend. |
local |
Boolean |
false |
ENTERPRISE ONLY: Specifies if the secrets engine is a local mount only. Local mounts are not replicated nor (if a secondary) removed by replication. |
seal_wrap |
Boolean |
false |
ENTERPRISE ONLY: Enable seal wrapping for the mount. |
Type: undefined
Remount a mount to a different Path
| Property | Type | Default | Description |
|---|---|---|---|
from |
String |
required | Specifies the previous mount point. |
to |
String |
required | Specifies the new destination mount point. |
Type: undefined
Unmount a mount from a path
| Property | Type | Default | Description |
|---|---|---|---|
mount_point |
String |
required | Specifies the path where the secrets engine will be mounted. |
Type: undefined
Write data to a Vault Backend
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies the path to write to |
data |
Object |
required | The data to write. Schema of this object |
depends on the backend that is mounted at the given path |
| requestOptions | Object | - | Additional request Options that
are passed to the request-promise-native underneath |
Type: Object
Schema depends on the backend that is mounted at the given path
Write data from a Vault Backend
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies which data to read |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Type: Object
Schema depends on the backend that is mounted at the given path
List data from a Vault Backend
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies which data to list |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Type: Object
Schema depends on the backend that is mounted at the given path
Delete data from a Vault Backend
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies which data to read |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Type: Object
Schema depends on the backend that is mounted at the given path
Obtain help from a Vault Backend
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies for what to obtain help |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Type: Object
Schema depends on the backend that is mounted at the given path
$ docker-compose exec package yarn test
In development with watching
$ docker-compose up
moleculer-vault is available under the MIT license.
