README
vault-client
A pluggable wrapper around the Hashicorp Vault HTTP API
Installation
npm install @commander-lol/vault-client
What
This library provides the VaultClient class, which encapsulates
1 auth method and 0 or more named stores. Construction overhead amounts
to a few class instantiations with no long-lived resource allocations, so
creating a VaultClient per HTTP request is ok (e.g. for short lease JWT based
auth against the Vault instance with a client token)
How
const { VaultClient, VaultSimpleAuth, VaultKVStore } = require('@commander-lol/vault-client')
const client = new VaultClient('https://vault.host.example.com', {
auth: VaultSimpleAuth,
stores: {
kv: VaultKVStore,
},
options: {
auth: {
path: '/v1/auth/approle/login',
credentials: {
role_id: '...',
secret_id: '...',
},
},
kv: {
path: '/v1/some/path'
}
}
})
const value = await client.stores.kv.read('some_key')
More
Use JWT auth from Koa request context
NB: In real world use cases, you should create a utility function elsewhere for creating a configured client, to keep your route handlers tidy.
const { VaultClient, VaultSimpleAuth, VaultKVStore } = require('@commander-lol/vault-client')
/* ... */
router.get('/secrets/:id', async ctx => {
const getCredentials = async () => {
let header = ctx.get('Authorization')
if (header.startsWith('Bearer ')) {
header = header.substr(7)
}
const values = await someDecodeFn(header)
return {
jwt: header,
role: values.role,
}
}
const client = new VaultClient('https://vault.example.com', {
auth: VaultSimpleAuth,
stores: {
secrets: VaultKVStore,
},
options: {
auth: {
path: '/v1/auth/jwt/login',
credentials: getCredentials,
},
secrets: {
path: '/v1/kvpath',
},
},
})
ctx.body = await client.stores.secrets.read(ctx.params.id)
})
/* ... */