mycro-secrets
Install
Install the hook
npm install --save mycro-secretsAdd it to hook config before any other hooks
// in config/hooks.jsmoduleexports = 'mycro-secrets' // ..Background
Most applications require secrets (sensitive data like credentials, api keys, tokens, etc) to interact with other services, databases, and third party apis. Most applications resort to environment variables for storing this sensitive data, but environment variables can become hard to manage and update. Vault has proven to be a very elegant tool for managing these secrets. This hook aims to abstract away the logic involved in fetching and renewing secrets and provide a simple and declarative api for specifying the secrets that an app requires before starting.
Getting Started
-
define your hook config
// in config/secrets.jsconst joi = ;moduleexports =// define a function for retrieving our 'secrets' config{// fetch your secrets config here;}// define a validation function to ensure that the secrets we receive// from vault include everything we require{joi;} -
define a secrets configuration somewhere (dynamo, s3, etc), and pass it to the hook
-
include this hook in your
hooksconfig// in config/hooks.jsmoduleexports =// ..'mycro-secrets'// ..; -
use your secrets
console// {// "host": "localhost",// "username": "<username>",// "password": "<password"// }
API
DynamoDB
Secret configurations are stored in DynamoDB. The table definition must have a hash key with
name id and type string. The config items follow the schema outlined below:
// the id of the config object "id": "<config-id>" // a map of secret urls to request from vault // note: a multi level map will be flattened and // concatenated with the vault url specified below "secrets": "/cubbhole": "/common": "common" "/my-service": "/bugsnag": "bugsnag" "vault": // OPTIONAL vault token to use in production // note: if a VAULT_TOKEN environment variable is found, it will be used instead "token": "<x-vault-token>" // OPTIONAL vault token to use during tests // note: if a VAULT_TOKEN_TEST environment variable is found, it will be used instead "test-token": "<x-vault-token>" // the vault server endpoint "url": "https://www.example.com/api/vault/v1" Using the config above, this hook will make the following requests from vault:
GET https://www.example.com/api/vault/v1/cubbyhole/common- the returned secret will be available at
mycro.secrets('common')
- the returned secret will be available at
GET https://www.example.com/api/vault/v1/cubbyhole/my-service/bugsnag- the returned secret will be available at
mycro.secrets('bugsnag')
- the returned secret will be available at
Hook Config
This hook can be configured by defining a configuration file at config/secrets.js. The structure of this file is outlined below:
// in config/secrets.jsmoduleexports = // the number of times to attempt to retreive each secret from vault. // if falsey, it will retry indefinitely (default) attempts: 3 // the id of the config object to request from DynamoDB configId: 'my-service' // how long to wait in between attempts interval: '30s' // can also be an integer representing milliseconds to wait // the dynamodb region to request from region: 'us-west-2' // the name of the dynamodb table holding config items` tableName: 'my-config-table' // a validation function that should return a joi schema that will be // used to validate the fetched secrets { return joiobject // ... }Testing
Run the test suite:
npm testRun coverage:
grunt coverageContributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
License
Copyright (c) 2016 Chris Ludden. Licensed under the MIT license.