moleculer-vault
v0.1.0
Published
A vault mixin for the moleculer framework
Downloads
6
Maintainers
Readme
Vault Service for the Moleculer framework
This Services provides actions for communicating with a Vault Server. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. The goal of this package is to provide actions for accessing and managing secrets using a connected vault server.
Features
The following List details which features are implemented
- Connect to the Vault on startup
- Obtain the health status of the Vault
- Mount Management
- Write, Read and Delete Secrets from the Vault
Roadmap
The following List details which features will potentially be implemented
- Seal and Unseal the Vault
- Audit Management
- Auth Management
- Policy Management
Install
This package is available in the npm-registry. In order to use it simply install it with yarn (or npm):
yarn add moleculer-vault
Usage
To make use of this Service, simply require it and create a new service:
let { ServiceBroker } = require("moleculer");
let VaultService = require("moleculer-vault");
let broker = new ServiceBroker({ logger: console });
// Create a service
broker.createService({
mixins: VaultService,
settings: {
endpoint: "http://my-vault:8200",
}
});
// Start server
broker.start().then(() => broker.call('vault.health'));
For a more indepth example checkout out the examples folder
. It includes a docker-compose file, running docker-compose up
will boot a broker with a vault service and a vault server.
All vault service actions are exposed on the API (which you should never do in real live!!!). You can run curl http://localhost:3000/vault/health
for example.
This project includes a published postman collection enabling you to quickly explore the service in your local environment.
Settings
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| apiVersion
| String
| required | Which API Version of the Vault to use. |
| endpoint
| String
| required | Where to find the Vault. |
| token
| String
| null
| Which token to use for authenticating against the Vault |
| waitForInitializationAttempts
| Number
| required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by default request the initialization status up to 5 times |
| waitForInitializationInterval
| Number
| required | When starting, the service will connect to the Vault. When the Vault is not initialized, it will by wait for 1 second before requesting the initialization status again |
Actions
health
Obtain the Vaults Health.
Parameters
| Property | Type | Default | Description | | -------- | ---- | ------- | ----------- | No input parameters.
Results
Type: Object
The Vaults Health Status.
mounts
Obtain all mounts of the Vault
Parameters
| Property | Type | Default | Description | | -------- | ---- | ------- | ----------- | No input parameters.
Results
Type: Array.<Object>
mount
Mount a new secret store at a given path
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| mount_point
| String
| required | Specifies the path where the secrets engine will be mounted. |
| type
| String
| required | Specifies the type of the backend, such as "aws". |
| description
| String
| - | Specifies the human-friendly description of the mount. |
| config
| Object
| - | Specifies configuration options for this mount. |
| options
| Object
| - | Specifies mount type specific options that are passed to the backend. |
| local
| Boolean
| false
| ENTERPRISE ONLY: Specifies if the secrets engine is a local mount only. Local mounts are not replicated nor (if a secondary) removed by replication. |
| seal_wrap
| Boolean
| false
| ENTERPRISE ONLY: Enable seal wrapping for the mount. |
Results
Type: undefined
remount
Remount a mount to a different Path
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| from
| String
| required | Specifies the previous mount point. |
| to
| String
| required | Specifies the new destination mount point. |
Results
Type: undefined
unmount
Unmount a mount from a path
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| mount_point
| String
| required | Specifies the path where the secrets engine will be mounted. |
Results
Type: undefined
write
Write data to a Vault Backend
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| path
| String
| required | Specifies the path to write to |
| data
| Object
| required | The data to write. Schema of this object
depends on the backend that is mounted at the given path |
| requestOptions
| Object
| - | Additional request Options that
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
read
Write data from a Vault Backend
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| path
| String
| required | Specifies which data to read |
| requestOptions
| Object
| - | Additional request Options that
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
list
List data from a Vault Backend
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| path
| String
| required | Specifies which data to list |
| requestOptions
| Object
| - | Additional request Options that
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
delete
Delete data from a Vault Backend
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| path
| String
| required | Specifies which data to read |
| requestOptions
| Object
| - | Additional request Options that
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
help
Obtain help from a Vault Backend
Parameters
| Property | Type | Default | Description |
| -------- | ---- | ------- | ----------- |
| path
| String
| required | Specifies for what to obtain help |
| requestOptions
| Object
| - | Additional request Options that
are passed to the request-promise-native underneath |
Results
Type: Object
Schema depends on the backend that is mounted at the given path
Test
$ docker-compose exec package yarn test
In development with watching
$ docker-compose up
License
moleculer-vault is available under the MIT license.