moleculer-vault v0.1.0
Vault Service for the Moleculer framework
This Services provides actions for communicating with a Vault Server. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. The goal of this package is to provide actions for accessing and managing secrets using a connected vault server.
Features
The following List details which features are implemented
- Connect to the Vault on startup
- Obtain the health status of the Vault
- Mount Management
- Write, Read and Delete Secrets from the Vault
Roadmap
The following List details which features will potentially be implemented
- Seal and Unseal the Vault
- Audit Management
- Auth Management
- Policy Management
Install
This package is available in the npm-registry. In order to use it simply install it with yarn (or npm):
yarn add moleculer-vault
Usage
To make use of this Service, simply require it and create a new service:
let { ServiceBroker } = require("moleculer");
let VaultService = require("moleculer-vault");
let broker = new ServiceBroker({ logger: console });
// Create a service
broker.createService({
mixins: VaultService,
settings: {
endpoint: "http://my-vault:8200",
}
});
// Start server
broker.start().then(() => broker.call('vault.health'));
For a more indepth example checkout out the examples folder
. It includes a docker-compose file, running docker-compose up
will boot a broker with a vault service and a vault server.
All vault service actions are exposed on the API (which you should never do in real live!!!). You can run curl http://localhost:3000/vault/health
for example.
This project includes a published postman collection enabling you to quickly explore the service in your local environment.
Settings
Property | Type | Default | Description |
---|---|---|---|
apiVersion | String | required | Which API Version of the Vault to use. |
endpoint | String | required | Where to find the Vault. |
token | String | null | Which token to use for authenticating against the Vault |
waitForInitializationAttempts | Number | required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by default request the initialization status up to 5 times |
waitForInitializationInterval | Number | required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by wait for 1 second before requesting the initialization status again |
Actions
health
Obtain the Vaults Health.
Parameters
Property | Type | Default | Description |
---|
No input parameters.
Results
Type: Object
The Vaults Health Status.
mounts
Obtain all mounts of the Vault
Parameters
Property | Type | Default | Description |
---|
No input parameters.
Results
Type: Array.<Object>
mount
Mount a new secret store at a given path
Parameters
Property | Type | Default | Description |
---|---|---|---|
mount_point | String | required | Specifies the path where the secrets engine will be mounted. |
type | String | required | Specifies the type of the backend, such as "aws". |
description | String | - | Specifies the human-friendly description of the mount. |
config | Object | - | Specifies configuration options for this mount. |
options | Object | - | Specifies mount type specific options that are passed to the backend. |
local | Boolean | false | ENTERPRISE ONLY: Specifies if the secrets engine is a local mount only. Local mounts are not replicated nor (if a secondary) removed by replication. |
seal_wrap | Boolean | false | ENTERPRISE ONLY: Enable seal wrapping for the mount. |
Results
Type: undefined
remount
Remount a mount to a different Path
Parameters
Property | Type | Default | Description |
---|---|---|---|
from | String | required | Specifies the previous mount point. |
to | String | required | Specifies the new destination mount point. |
Results
Type: undefined
unmount
Unmount a mount from a path
Parameters
Property | Type | Default | Description |
---|---|---|---|
mount_point | String | required | Specifies the path where the secrets engine will be mounted. |
Results
Type: undefined
write
Write data to a Vault Backend
Parameters
Property | Type | Default | Description |
---|---|---|---|
path | String | required | Specifies the path to write to |
data | Object | required | The data to write. Schema of this object |
depends on the backend that is mounted at the given path | |||
requestOptions | Object | - | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
read
Write data from a Vault Backend
Parameters
Property | Type | Default | Description |
---|---|---|---|
path | String | required | Specifies which data to read |
requestOptions | Object | - | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
list
List data from a Vault Backend
Parameters
Property | Type | Default | Description |
---|---|---|---|
path | String | required | Specifies which data to list |
requestOptions | Object | - | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
delete
Delete data from a Vault Backend
Parameters
Property | Type | Default | Description |
---|---|---|---|
path | String | required | Specifies which data to read |
requestOptions | Object | - | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
help
Obtain help from a Vault Backend
Parameters
Property | Type | Default | Description |
---|---|---|---|
path | String | required | Specifies for what to obtain help |
requestOptions | Object | - | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
Test
$ docker-compose exec package yarn test
In development with watching
$ docker-compose up
License
moleculer-vault is available under the MIT license.