Lucas Pereira de Souza

Posted on Nov 15

Hashicorp Vault for secrets management

#node #devops #tutorial #security

## Installing and Integrating Vault: A Practical Guide

HashiCorp Vault is a powerful secret management tool, offering a secure way to store and control access to sensitive information such as passwords, API keys, certificates, and tokens. This article will guide you through the process of installing, initializing, creating secrets and policies, and finally, how to integrate Vault with a Node.js application.

1. Installing Vault

First, you'll need to install Vault on your system. Installation options vary depending on your operating system. Below are some examples:

Linux (apt): sudo apt-get update && sudo apt-get install vault
macOS (Homebrew): brew install vault
Windows (Chocolatey): choco install vault

After installation, verify that Vault was installed correctly by running the command vault --version in your terminal.

2. Initializing Vault

After installation, the next step is to initialize Vault. Run the command vault operator init. This command will generate a set of encryption keys (unseal keys) and a \"root token\" value. It's crucial that you store the keys securely, as they are needed to unlock Vault. The \"root token\" grants full administrative access to Vault; keep it with care.

vault operator init

The command will return something like this:

Unseal Key 1: ...
Unseal Key 2: ...
Unseal Key 3: ...
Unseal Key 4: ...
Unseal Key 5: ...
Initial Root Token: ...

3. Unsealing Vault

Before using Vault, it needs to be unsealed. To do this, use the command vault operator unseal. You will need to provide a certain number of \"Unseal Keys\" (usually 3 or more) to unseal Vault. Execute this command repeatedly, providing one of the keys each time.

vault operator unseal

4. Authenticating in Vault

Now that Vault is unsealed, you need to authenticate. We will use the root token initially. Set the environment variable VAULT_TOKEN with the value of the \"Initial Root Token\" that was generated during initialization.

export VAULT_TOKEN=YOUR_ROOT_TOKEN

You can verify the authentication with the command vault status.

5. Creating Secrets

Vault stores secrets in a hierarchical storage system. Let's create a simple secret.

Enabling the Secrets Engine: First, we need to enable the \"kv\" (key-value) Secrets Engine, which is used to store arbitrary data.
```
vault secrets enable -path=secret kv
```

Saving a Secret: Now, let's save a secret.

vault kv put secret/my-app api_key=YOUR_API_KEY db_password=YOUR_DATABASE_PASSWORD

6. Creating Policies

Policies in Vault define what users can access. Create a file called my-app-policy.hcl with the following content:

path \"secret/my-app\" {
  capabilities = [\"read"]
}

This policy file allows reading the secret/my-app secret. Now, load the policy into Vault:

vault policy write my-app-policy my-app-policy.hcl

7. Creating a Token with the Policy

Create a token that has the newly created policy attached.

vault token create -policy=my-app-policy

This command will generate a token. Keep this token.

8. Integrating with a Node.js Application

Now, let's integrate Vault with a Node.js application.

Install the dependencies:
```
npm install vault-client
```

Create an index.js file:

const Vault = require('vault-client');

async function getSecrets() {
  const vault = new Vault({
    url: 'http://127.0.0.1:8200', // Change if Vault is at another address
    token: 'YOUR_TOKEN_GENERATED_ABOVE', // Use the token generated by the policy
  });

  try {
    const secret = await vault.read('secret/my-app');
    console.log('API Key:', secret.data.api_key);
    console.log('Database Password:', secret.data.db_password);
  } catch (error) {
    console.error('Error reading secret:', error.message);
  }
}

getSecrets();

Run the application:
```
node index.js
```

If everything is configured correctly, the Node.js script will retrieve and print the api_key and db_password from Vault.

Conclusion

This guide provides a detailed introduction to installing, configuring, and integrating Vault into your application. Remember that security is paramount. Always store keys and tokens securely, and regularly review access policies. Explore the Vault documentation to discover more advanced features and optimize the security of your infrastructure.

DEV Community