Vault Service for the Moleculer framework
This Services provides actions for communicating with a Vault Server. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. The goal of this package is to provide actions for accessing and managing secrets using a connected vault server.
Features
The following List details which features are implemented
- Connect to the Vault on startup
- Obtain the health status of the Vault
- Mount Management
- Write, Read and Delete Secrets from the Vault
Roadmap
The following List details which features will potentially be implemented
- Seal and Unseal the Vault
- Audit Management
- Auth Management
- Policy Management
Install
This package is available in the npm-registry. In order to use it simply install it with yarn (or npm):
yarn add moleculer-vaultUsage
To make use of this Service, simply require it and create a new service:
let ServiceBroker = ;let VaultService = ; let broker = logger: console ; // Create a servicebroker; // Start serverbrokerstart;For a more indepth example checkout out the examples folder. It includes a docker-compose file, running docker-compose up will boot a broker with a vault service and a vault server.
All vault service actions are exposed on the API (which you should never do in real live!!!). You can run curl http://localhost:3000/vault/health for example.
This project includes a published postman collection enabling you to quickly explore the service in your local environment.
Settings
| Property | Type | Default | Description |
|---|---|---|---|
apiVersion |
String |
required | Which API Version of the Vault to use. |
endpoint |
String |
required | Where to find the Vault. |
token |
String |
null |
Which token to use for authenticating against the Vault |
waitForInitializationAttempts |
Number |
required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by default request the initialization status up to 5 times |
waitForInitializationInterval |
Number |
required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by wait for 1 second before requesting the initialization status again |
Actions
health
Obtain the Vaults Health.
Parameters
| Property | Type | Default | Description |
|---|
No input parameters.
Results
Type: Object
The Vaults Health Status.
mounts
Obtain all mounts of the Vault
Parameters
| Property | Type | Default | Description |
|---|
No input parameters.
Results
Type: Array.<Object>
mount
Mount a new secret store at a given path
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
mount_point |
String |
required | Specifies the path where the secrets engine will be mounted. |
type |
String |
required | Specifies the type of the backend, such as "aws". |
description |
String |
- | Specifies the human-friendly description of the mount. |
config |
Object |
- | Specifies configuration options for this mount. |
options |
Object |
- | Specifies mount type specific options that are passed to the backend. |
local |
Boolean |
false |
ENTERPRISE ONLY: Specifies if the secrets engine is a local mount only. Local mounts are not replicated nor (if a secondary) removed by replication. |
seal_wrap |
Boolean |
false |
ENTERPRISE ONLY: Enable seal wrapping for the mount. |
Results
Type: undefined
remount
Remount a mount to a different Path
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
from |
String |
required | Specifies the previous mount point. |
to |
String |
required | Specifies the new destination mount point. |
Results
Type: undefined
unmount
Unmount a mount from a path
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
mount_point |
String |
required | Specifies the path where the secrets engine will be mounted. |
Results
Type: undefined
write
Write data to a Vault Backend
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies the path to write to |
data |
Object |
required | The data to write. Schema of this object |
depends on the backend that is mounted at the given path |
| requestOptions | Object | - | Additional request Options that
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
read
Write data from a Vault Backend
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies which data to read |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
list
List data from a Vault Backend
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies which data to list |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
delete
Delete data from a Vault Backend
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies which data to read |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
help
Obtain help from a Vault Backend
Parameters
| Property | Type | Default | Description |
|---|---|---|---|
path |
String |
required | Specifies for what to obtain help |
requestOptions |
Object |
- | Additional request Options that |
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
Test
$ docker-compose exec package yarn test
In development with watching
$ docker-compose up
License
moleculer-vault is available under the MIT license.