node-vault

What is node-vault?

The node-vault npm package is a client library for interacting with HashiCorp's Vault, a tool for securely accessing secrets. It allows developers to programmatically manage secrets, encryption keys, and other sensitive data.

What are node-vault's main functionalities?

Authentication

This feature allows you to authenticate with the Vault server. The code sample demonstrates how to list all the authentication methods enabled in Vault.

const vault = require('node-vault')({ endpoint: 'http://127.0.0.1:8200' });
vault.auths().then((result) => {
  console.log(result);
}).catch(console.error);

Secrets Management

This feature allows you to store and retrieve secrets. The code sample demonstrates how to write a secret to the Vault.

const vault = require('node-vault')({ endpoint: 'http://127.0.0.1:8200', token: 'my-token' });
vault.write('secret/data/mysecret', { data: { key: 'value' } }).then((result) => {
  console.log(result);
}).catch(console.error);

Dynamic Secrets

This feature allows you to generate dynamic secrets, such as database credentials. The code sample demonstrates how to read dynamic database credentials from Vault.

const vault = require('node-vault')({ endpoint: 'http://127.0.0.1:8200', token: 'my-token' });
vault.read('database/creds/my-role').then((result) => {
  console.log(result);
}).catch(console.error);

Encryption as a Service

This feature allows you to use Vault's encryption capabilities. The code sample demonstrates how to encrypt data using a named encryption key in Vault.

const vault = require('node-vault')({ endpoint: 'http://127.0.0.1:8200', token: 'my-token' });
vault.encryptData({ name: 'my-key', plaintext: Buffer.from('my-secret').toString('base64') }).then((result) => {
  console.log(result);
}).catch(console.error);

Other packages similar to node-vault

aws-sdk

The aws-sdk package is the official AWS SDK for JavaScript, which includes support for AWS Secrets Manager. It allows you to store, retrieve, and manage secrets in AWS. Compared to node-vault, aws-sdk is more focused on AWS services and offers a broader range of functionalities beyond secrets management.

azure-keyvault

The azure-keyvault package is a client library for Azure Key Vault, which provides secure storage of secrets, keys, and certificates. It offers similar functionalities to node-vault but is specific to the Azure ecosystem. It is ideal for developers working within the Azure cloud environment.

README

node-vault

A client for the HTTP API of HashiCorp's Vault written for Node.js.

Install

Prerequisites:

• NodeJS >= 16.0.0

npm install -S node-vault

The year is 2023; If, for whatever reason, you need to use an older version of node.js (yet still >= 6.x), use node-vault <= v0.10.0

Please note that node-vault <= v0.10.0 contains multiple vulnerabilities ☠️

Test

Run tests using docker-compose (includes vault, postgres and running the tests inside) with:

docker-compose up --force-recreate test

Usage

Init and unseal

var options = {
  apiVersion: 'v1', // default
  endpoint: 'http://127.0.0.1:8200', // default
  token: 'MY_TOKEN' // optional client token; can be fetched after valid initialization of the server
};

// get new instance of the client
var vault = require("node-vault")(options);

// init vault server
vault.init({ secret_shares: 1, secret_threshold: 1 })
.then( (result) => {
  var keys = result.keys;
  // set token for all following requests
  vault.token = result.root_token;
  // unseal vault server
  return vault.unseal({ secret_shares: 1, key: keys[0] })
})
.catch(console.error);

Write, read and delete secrets

vault.write('secret/hello', { value: 'world', lease: '1s' })
.then( () => vault.read('secret/hello'))
.then( () => vault.delete('secret/hello'))
.catch(console.error);

Kubernetes Auth Example

//if vault kubernets endpoint is /auth/example-cluster/login and role is example-role
//read token from default token mount path
const token = await fs.readFileSync('/var/run/secrets/kubernetes.io/serviceaccount/token', { encoding: 'utf8' });
vault.kubernetesLogin({role: 'example-role' ,
            jwt: token,
            kubernetesPath: 'example-cluster'})

Docs

Just generate docco docs via npm run docs.

Examples

Please have a look at the examples and the generated feature list to see what is already implemented.

Instead of installing all the dependencies like vault itself, postgres and other stuff you can use docker and docker-compose to link and run multiple docker containers with all of its dependencies.

git clone git@github.com:nodevault/node-vault.git
cd node-vault
docker-compose up vault

Now you can run the examples from another terminal window.

First of all you should initialize and unseal the vault:

node example/init.js

You should see root_token: followed by a long key in the response. Please copy that long key and export it as environment variable:

export VAULT_TOKEN=<insert long key here>

Now you are able to run all of the other examples:

node example/policies.js

Connecting to vault through a bastion host

To connect to a vault server in a private network with a bastion host, you'll need to first open a connection:

ssh -D <socks4Port> bastion.example.com

const SocksProxyAgent = require('socks-proxy-agent');
const agent = new SocksProxyAgent(`socks://127.0.0.1:${socks4Port}`, true);
const options = {
  apiVersion: 'v1',
  rpOptions: {
    agent,
  },
};

const vault = require('node-vault')(options);