What are secrets?

Secrets are pieces of sensitive information that need to be protected to ensure data  confidentiality, integrity, and availability. They often include credentials, API keys, passwords, encryption keys, and other confidential information that is crucial for the security of an application or system.

Secrets can be stored as environment variables, within configuration files, using key management systems, databases with encryption or dedicated secret management tools. 

HashiCorp Vault

Vault is a dedicated secret management tool for securely accessing secrets. It provides a unified interface to any secret while providing tight access control and recording a detailed audit log.

As an organization’s service portfolio grows, the complexity of managing secrets becomes more pronounced. The combination of Zero Trust principles and the prevalence of microservices has made handling sensitive information, including tokens, credentials, and keys, increasingly daunting. In such scenarios, HashiCorp’s Vault emerges as a valuable solution, providing organizations with the means to tackle and mitigate the challenges associated with secret management effectively.

While each cloud provider offers its own native secret management tools, relying on these solutions may result in vendor lock-in. In contrast, Vault is open source and can be easily transported across different environments.

While it’s possible to integrate the HashiCorp Vault module regardless of the flavor of Javascript you are using, the examples provided will focus on Node.js. You can use the following command to install the HashiCorp Vault module:

npm install hashi-vault-js --save

In order to use it, it needs to be included in the code file:

const Vault = require('hashi-vault-js');

To test if this is working in Node.js, we will create a file named testVault.js with the following chunk of code:

const vault = new Vault({
    https: true,
    baseUrl: 'https://127.0.0.1:8200/v1',
    rootPath: 'secret',
    timeout: 5000,
    proxy: false
});

Module usage

This package covers a decent number of auth methods and secret engines. To use methods for creating, getting, updating, deleting secrets, etc., it is necessary to log in. It’s possible to perform a login on the Vault for various authorization types, like AppRole login, LDAP, TLS…

For example, logging in with a role-id/secret-id pair (AppRole login) and getting a client token can be done as follows:

const token = await vault.loginWithAppRole(RoleId, SecretId).client_token;

This token now serves as a key component for authenticating clients, authorizing their actions within the Vault, and managing secure access to secrets and resources stored in the Vault.

The next thing you need access to is an object for which you want to do manipulations. An example of such an object can be seen below:

const Item = {
  name: "slack",
  data: {
    bot_token1: "xoxb-123456789012-1234567890123-1w1lln0tt3llmys3cr3tatm3",
    bot_token2: "xoxb-123456789013-1234567890124-1w1lln0tt3llmys3cr3tatm3"
  }
};

Creating a new secret in the Vault:

The createKVSecret method is used to create a key-value secret in HashiCorp Vault, utilizing the provided authentication token, name, and data. 

const data = await vault.createKVSecret(token, Item.name , Item.data);

Reading a secret from the Vault:

Retrieving the content of a key-value secret from HashiCorp Vault is done using the readKVSecret method, and retrieved secrets can be further used within the application. Parameters specify which secret to read based on the name.

const secrets = await vault.readKVSecret(token, Item.name);

Updating a secret in the Vault:

Updating an existing key-value secret in the HashiCorp Vault is done using the updateKVSecret method. Parameters specify the access token, which secret to update, the new data, and the version to update.

const data = await vault.updateKVSecret(token, Item.name , newData, 1);

Deleting a secret from the Vault:

Deleting an existing key-value secret in HashiCorp Vault can be done using the eliminateKVSecret function. Parameters specify the access token and which secret to delete based on its name.

const data = await vault.eliminateKVSecret(token, Item.name);

Error handling

This package enhances the error stack to distinguish whether the exception occurred within the Vault API layer or elsewhere, which can be useful for debugging purposes. Additionally, it incorporates a helpful message retrieved from the Vault API documentation. An example of how to take advantage of this can be seen in the example below:

try {
  vault.function(...);
} catch (err) {
  if (err.isVaultError) {
    console.log(err.vaultHelpMessage);
  } else {
    throw err;
  }
}

Conclusion

HashiCorp Vault, paired with the hashi-vault-js module, offers developers a seamless and secure solution for secrets management. As you’ve come to understand, using Vault for managing secrets is an easy, scalable, and secure way of handling them within applications. This open-source tool ensures data integrity without vendor lock-in. With straightforward authentication, efficient error handling, and a unified interface, HashiCorp Vault proves invaluable in modern security landscapes.


“JavaScript integration with HashiCorp Vault API” Tech Bite was brought to you by Aldin Rizvo, Junior Quality Assurance Engineer at Atlantbh.

Tech Bites are tips, tricks, snippets or explanations about various programming technologies and paradigms, which can help engineers with their everyday job.

selenium
QA/Test AutomationTech Bites
December 22, 2023

Selenium Grid 4 with Docker

Introduction When talking about automation testing, one of the first things that comes to mind is Selenium. Selenium is a free, open-source automated testing framework used to validate web applications across different browsers and platforms. It is not just a single tool but a suite of software. Every component of…

Want to discuss this in relation to your project? Get in touch:

Leave a Reply