fastify-secrets-vault

Fastify secrets plugin for HashiCorp's Vault

Usage no npm install needed!

<script type="module">
  import fastifySecretsVault from 'https://cdn.skypack.dev/fastify-secrets-vault';
</script>

README

Fastify Secrets Vault

js-semistandard-style dependencies Status

Fastify secrets plugin for HashiCorp's Vault.

Install

npm install --save fastify-secrets-vault

Usage

You can register the plugin in your fastify instance and provide options for vault.

const fastify = require('fastify')();
const secretsPlugin = require('fastify-secrets-vault');

...

fastify.register(secretsPlugin, {
  secrets: {
    mongo_password: '/path/to/secret',
    redis_password: {
      path: 'path/to/secret',
      key: 'master-key' // it can support and array of keys ['key1','key2']
    }
  },
  vaultOptions: {
    token: '*****', //optional token for authenticating requests to vault
    endpoint: 'http://127.0.0.1:8200'
  }
});

await fastify.ready();

...

API

Register options

  • namespace: (optional) The plugin will add the secret values to fastify.secrets[namespace]

  • concurrency: (optional) How many concurrent secrets you can retrieve. Default value: 5

  • secrets: (required) An object representing a map of secret keys and references. It can be either in the form of:

    • redis_password: '/path/to/secret'

    or

    • If you want only a specific key
    redis_password: {
    path: '/path/to/secret/',
    key: 'main_token'
}

    or

    • If you want to get multiple keys
    redis_password: {
    path: '/path/to/secret/',
    key: ['main_token','secondary_token']
}

    Then you can access your secrets with fastify.secrets.main_token.

  • vaultOptions

    • secretsEngineVersion: (optional) Vault KV Secrets Engine can operate in two modes v1 and v2. Default value: v2.
    • endpoint: (optional) Endpoint for reaching vault server. Default value: http://127.0.0.1:8200.
    • token: (optional) Token to authenticate requests with.
    • authentication: (optional) This can be provided instead of token. It's a way of retrieving a token. Currently supported ldap.

Authentication

Ldap

{
   method: 'ldap',
   credentials: {
     password: '*****',
     username: 'username'
   }
}

Typescript

In order to use this plugin you need to enable the flag "esModuleInterop": true in tsconfig.json.

then you can import it

import secretsPlugin from 'fastify-secrets-vault';

If you want to have the secrets values into fastify (e.g. fastify.secrets.main_token) you can create a types.ts containing

import 'fastify';

declare module 'fastify' {
    interface FastifyInstance {
        secrets: {
            mongo_password: string;
            redis_password: string;
        };
    }
}

and then import './types.' to your server.

Acknowledgements

This package follows the structure of fastify-secrets-core. There is another package for Vault published in Nearform, fastify-secrets-hashicorp.

Example

You can also check an example usage.

Issues

For any issues.

License

MIT License