0.1.0 • Published 6 years ago

moleculer-vault v0.1.0

Weekly downloads
7
License
MIT
Repository
github
Last release
6 years ago

Moleculer logo

Build Status Coverage Status Codacy Badge Maintainability Known Vulnerabilities Run in Postman npm version

Vault Service for the Moleculer framework

This Services provides actions for communicating with a Vault Server. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. The goal of this package is to provide actions for accessing and managing secrets using a connected vault server.

Features

The following List details which features are implemented

  • Connect to the Vault on startup
  • Obtain the health status of the Vault
  • Mount Management
  • Write, Read and Delete Secrets from the Vault

Roadmap

The following List details which features will potentially be implemented

  • Seal and Unseal the Vault
  • Audit Management
  • Auth Management
  • Policy Management

Install

This package is available in the npm-registry. In order to use it simply install it with yarn (or npm):

yarn add moleculer-vault

Usage

To make use of this Service, simply require it and create a new service:

let { ServiceBroker } = require("moleculer");
let VaultService = require("moleculer-vault");

let broker = new ServiceBroker({ logger: console });

// Create a service
broker.createService({
    mixins: VaultService,
    settings: {
        endpoint: "http://my-vault:8200",
    }
});

// Start server
broker.start().then(() => broker.call('vault.health'));

For a more indepth example checkout out the examples folder. It includes a docker-compose file, running docker-compose up will boot a broker with a vault service and a vault server. All vault service actions are exposed on the API (which you should never do in real live!!!). You can run curl http://localhost:3000/vault/health for example. This project includes a published postman collection enabling you to quickly explore the service in your local environment.

Settings

PropertyTypeDefaultDescription
apiVersionStringrequiredWhich API Version of the Vault to use.
endpointStringrequiredWhere to find the Vault.
tokenStringnullWhich token to use for authenticating against the Vault
waitForInitializationAttemptsNumberrequiredWhen starting, the service will connect to the Vault. When the Vault is not initialized, it will by default request the initialization status up to 5 times
waitForInitializationIntervalNumberrequiredWhen starting, the service will connect to the Vault. When the Vault is not initialized, it will by wait for 1 second before requesting the initialization status again

Actions

health

Obtain the Vaults Health.

Parameters

PropertyTypeDefaultDescription

No input parameters.

Results

Type: Object

The Vaults Health Status.

mounts

Obtain all mounts of the Vault

Parameters

PropertyTypeDefaultDescription

No input parameters.

Results

Type: Array.<Object>

mount

Mount a new secret store at a given path

Parameters

PropertyTypeDefaultDescription
mount_pointStringrequiredSpecifies the path where the secrets engine will be mounted.
typeStringrequiredSpecifies the type of the backend, such as "aws".
descriptionString-Specifies the human-friendly description of the mount.
configObject-Specifies configuration options for this mount.
optionsObject-Specifies mount type specific options that are passed to the backend.
localBooleanfalseENTERPRISE ONLY: Specifies if the secrets engine is a local mount only. Local mounts are not replicated nor (if a secondary) removed by replication.
seal_wrapBooleanfalseENTERPRISE ONLY: Enable seal wrapping for the mount.

Results

Type: undefined

remount

Remount a mount to a different Path

Parameters

PropertyTypeDefaultDescription
fromStringrequiredSpecifies the previous mount point.
toStringrequiredSpecifies the new destination mount point.

Results

Type: undefined

unmount

Unmount a mount from a path

Parameters

PropertyTypeDefaultDescription
mount_pointStringrequiredSpecifies the path where the secrets engine will be mounted.

Results

Type: undefined

write

Write data to a Vault Backend

Parameters

PropertyTypeDefaultDescription
pathStringrequiredSpecifies the path to write to
dataObjectrequiredThe data to write. Schema of this object
depends on the backend that is mounted at the given path
requestOptionsObject-Additional request Options that
are passed to the request-promise-native underneath

Results

Type: Object

Schema depends on the backend that is mounted at the given path

read

Write data from a Vault Backend

Parameters

PropertyTypeDefaultDescription
pathStringrequiredSpecifies which data to read
requestOptionsObject-Additional request Options that
are passed to the request-promise-native underneath

Results

Type: Object

Schema depends on the backend that is mounted at the given path

list

List data from a Vault Backend

Parameters

PropertyTypeDefaultDescription
pathStringrequiredSpecifies which data to list
requestOptionsObject-Additional request Options that
are passed to the request-promise-native underneath

Results

Type: Object

Schema depends on the backend that is mounted at the given path

delete

Delete data from a Vault Backend

Parameters

PropertyTypeDefaultDescription
pathStringrequiredSpecifies which data to read
requestOptionsObject-Additional request Options that
are passed to the request-promise-native underneath

Results

Type: Object

Schema depends on the backend that is mounted at the given path

help

Obtain help from a Vault Backend

Parameters

PropertyTypeDefaultDescription
pathStringrequiredSpecifies for what to obtain help
requestOptionsObject-Additional request Options that
are passed to the request-promise-native underneath

Results

Type: Object

Schema depends on the backend that is mounted at the given path

Test

$ docker-compose exec package yarn test

In development with watching

$ docker-compose up

License

moleculer-vault is available under the MIT license.