@financial-times/vaultenv NPM

vaultenv

Load vars from Vault straight into process.env

Get started with Vault
npm i -D @financial-times/vaultenv

FYI: use vaultenv for dev and ip-vault-sync for prod

Two ways of skinning a cat

1. Sync

Sync requires all configuration to be in the environment before the call to Vault is made.

Put this in your "dev script" in your package.json

VAULT_PATH=secret/teams/<your team>/<your thing>/<environment> node --require @financial-times/vaultenv

If you want to physically see your env vars printing out

add DEBUG=* at the beginning and
-pe 'console.log()' at the end of your "dev script"

Required variables

VAULT_ADDR - the address of the vault instance
VAULT_AUTH_GITHUB_TOKEN - your github personal token
VAULT_PATH - the full path to the secrets in vault (e.g. secret/teams/ateam/murdoch/production)
- Without VAULT_PATH, the path is made up of npm_package_team, npm_package_name and the environment is derived from CI and NODE_ENV
  - When CI is true, the env will be continuous-integration
  - When NODE_ENV is set, then its value will be used, otherwise it's development

The vars below are for appRole auth and can be used instead of GitHub auth

VAULT_AUTH_ROLE_ID - a role id for approle authentication
VAULT_AUTH_SECRET_ID - a secret id for approle authentication

Optional variables

VAULT_OVERRIDE_EXISTING - can be set in the environment or within the secrets in vault
- When VAULT_OVERRIDE_EXISTING is true, vault will override the existing environment variables
- When VAULT_OVERRIDE_EXISTING is false (default), vault will not override the existing environment variables

2. Async

This can be used during start up or while an app is running

const vault = require('@financial-times/vaultenv/async');
const start = async () => {
  const vars = await vault('https://vault.instance', 'github token', '/path/to/secrets');
  console.log(`env loaded: ${vars}`);
};
start();