nodevault / node-vault Goto Github PK

When I execute node example/auth_userpass.js I get the following error:

authentication backends cannot create root tokens

My idea is to split this library in different npm packages because the functionality of vault is growing so fast. We could have a basic client for system backend and then extended clients for secret backends, auth backends and plugin backends as well. I would love to keep the repo and manage the publishing of the npm packages with a tool like lerna (https://github.com/lerna/lerna). WDYT?

Vault has an standard environment variable VAULT_SKIP_VERIFY which the vault cli client uses to ignore SSL errors when connecting to a vault server which has a self-signed/invalid SSL certificate. Since node-vault reads some of the standard vault environment variables like VAULT_ADDR and VAULT_TOKEN, one would ideally expect it to support VAULT_SKIP_VERIFY flag as well.

When running vault in HA mode, you must follow redirects on PUT/POST/DELETE. By default the request module only follows redirects for GET requests. To enable this you just have to set followAllRedirects to true when making a request. Only work around I see at the moment is to monkey patch the _request method:

  vault._request = function(opts, done) {
      debug(opts);
    var uri;
    if (opts == null) {
      opts = {};
    }
    uri = this.endpoint + "/" + this.apiVersion + opts.path;
    uri = this.mustache.render(uri, opts.json);
    uri = uri.replace(///g, '/');
    debug(opts.method + " " + uri);
    if (!opts['headers']) {
      opts.headers = {};
    }
    if (this.token != null) {
      opts.headers['X-Vault-Token'] = this.token;
    }
    opts.uri = uri;
    opts.followAllRedirects = true;
    return this.request(opts, function(err, res, body) {
      if (err) {
        debug(err);
        return done(err);
      }
      debug("RES " + (res != null ? res.statusCode : void 0));
      if (body) {
        if (typeof body !== 'object') {
          body = JSON.parse(body);
        }
        debug(body);
      }
      return done(err, res, body);
    });
  };

In an HA environment we will have multiple node (ex. https://a.vault.mycompany.com:8200, https://b.vault.mycompany.com:8200, ...). Because that library support only one endpoint I'm wondering what's the best practice here?

• Should endpoint support an array of nodes where we replay the request to another node in case of a failure?
• According to https://www.vaultproject.io/docs/concepts/ha.html#behind-load-balancers a load balancer isn't the best solution, ...
• Round robin DNS?
• Should we install the vault agent locally and use https://localhost:8200 as endpoint?

Thanks!

Exposing the request options will allow more flexibility.
https://github.com/request/request

For our case, to use this library we are using internal self signed certs that need to be attached.

Hi, I'm trying implement Vault in my project. So, I need to implement transit secret. I don't find any example. Can you help me?

I leave the link about that, https://www.vaultproject.io/docs/secrets/transit/

Is it possible?

Does this library support defining the namespace and mount point path when reading from Vault? I'm authenticating to the namespace and trying to read a value stored inside the namespace but am getting a 403.

The Token I passed to this library came from this command:
vault login -method=ldap -namespace=<namespace> -path=<mpp> username=<username> password=<password>

Using the CLI I can retrieve the value (I'm the namespace admin and have full access).

Hello,

I'm using node-vault as a dependency in a project. Because requiring the coffee-script interpreter monkey-patches Error.prepareStackTrace(), any code that I have with require "source-map-support/register" early in the file is overwritten by any later call to require "node-vault".

Got this error when I tried to require the module.

I guess it is because main field is referring to non existing path ./lib/node-vault.js in package.json

I don't really understand how it helps, I was able to get GithubAuth working via just a POST request but I am not sure I understand the example.

I think I understand what the examples does, step by step. It seems to try to auth first but for me it stops there because I don't yet have the token needed for auth so it goes directly to the error handling.

I am guessing it's because your example first enables GitHub auth (and therefore needs a token to do so). If I am correct, I am happy to submit a PR with more comments in the GitHub example.

When I do use vault.githubLogin by itself, it doesn't work because it doesn't follow a 307 that my vault throws at it. I am not sure it's something specific with my vault setup though.

Thank you in advance,

Erik

A recent, unreleased commit, where main in package.json was changed from src/index.js to dist/index.js, seems to have broken the loading of this library. The transpiled files are concatenated into a single file, but the require('./commands.js') call is still present. I think the fix is simply not concatenating the output.

Error: Cannot find module './commands.js'
    at Function.Module._resolveFilename (module.js:339:15)
    at Function.Module._load (module.js:290:25)
    at Module.require (module.js:367:17)
    at require (internal/module.js:16:19)
    at Object.<anonymous> (.../node_modules/node-vault/dist/index.js:168:16)

Cookie authentication for the client will be removed in 0.3. Please migrate to using the X-Vault-Token header instead.

Thanks!

tldr; How can I use github auth and call the other vault commands?

Hi, this looks like a great module but I'm super unclear as to how to use it.

Currently I'm trying to replicate the following using node-vault

vault auth --method github
vault list secret

This is currently what I have:

const vault = require("node-vault")({
	endpoint: process.env.VAULT_ADDR,
	token: process.env.VAULT_AUTH_GITHUB_TOKEN
})

vault.githubLogin({
	token: process.env.VAULT_AUTH_GITHUB_TOKEN
})
	.then(res => {
		console.log(res)
		return vault.list('secret')
	})
	.then(res => {
		console.log(res)
	})
	.catch(error => {
		console.log(error)
	})

The issue I'm having here is that the .githubLogin(...) resolves but when I call vault.list('secret') I get a 403 promise rejection. I dug around the code and it seems you can pass an object as the second parameter to list with a token value, but I've tried using my process.env.VAULT_AUTH_GITHUB_TOKEN, res.auth.client_token, res.auth.accessor&res.auth.entity_id` but it always rejects with a 403.

On line 135 (https://github.com/kr1sp1n/node-vault/blob/master/node-vault.coffee#L135)

debug err if err
debug "RES #{res.statusCode}"

If there is an error, res is likely undefined. Logging the next line will throw an exception.

Could be changed to either return early or:

debug err if err
debug "RES #{res?.statusCode}"

ae57b06 at least exposes the error message for non-2xx responses. However, calling health() on a sealed node throws an error even though it contains useful information. This should be somehow exposed to the user. e.g.:

$ curl -i https://vault-node2:8200/v1/sys/health
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Date: Tue, 13 Sep 2016 12:52:34 GMT
Content-Length: 197

{"initialized":true,"sealed":false,"standby":true,"server_time_utc":1473771154,"version":"Vault v0.6.1","cluster_name":"vault-cluster-f6f83756","cluster_id":"e4b462cf-d3b8-44dc-c3d7-f3bbcbf7a994"}

The 429 response code is expected for a standby HA node, but the response still contains the status information.

Right now on the latest release, this just throws the error fixed by ae57b06. However, even on master with that fix, I don't get the response, I get a caught error:

CAUGHT ERROR
Error: Status 429
    at handleVaultResponse (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/node-vault/dist/index.js:31:29)
    at tryCatcher (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/request-promise/node_modules/bluebird/js/main/util.js:26:23)
    at Promise._settlePromiseFromHandler (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/request-promise/node_modules/bluebird/js/main/promise.js:510:31)
    at Promise._settlePromiseAt (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/request-promise/node_modules/bluebird/js/main/promise.js:584:18)
    at Promise._settlePromises (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/request-promise/node_modules/bluebird/js/main/promise.js:700:14)
    at Async._drainQueue (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/request-promise/node_modules/bluebird/js/main/async.js:123:16)
    at Async._drainQueues (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/request-promise/node_modules/bluebird/js/main/async.js:133:10)
    at Immediate.Async.drainQueues (/home/jantman/manheim/git/ReleaseEngineering/terraform-vault/healthcheck/vaults/node_modules/request-promise/node_modules/bluebird/js/main/async.js:15:14)
    at runCallback (timers.js:570:20)
    at tryOnImmediate (timers.js:550:5)
    at processImmediate [as _immediateCallback] (timers.js:529:5)

Looking at the example to add a policy, it's not clear how to pass the rules

vault.addPolicy { name: 'mypolicy' }, (err, result)->

how are the rules meant to be passed in ? for example, should it be this ?

rules:[ {path: "sys/policy",  { policy: "write" } }] 

vault.approleSecretAccessorLookup() currently requires a parameter secret_id
I think that's a simple typo, and should instead be secret_id_accessor

That would match the Vault API doc https://www.vaultproject.io/api/auth/approle/index.html#read-approle-secret-id-accessor
... and works for me if I change it locally.

put: /sys/rotate

https://vaultproject.io/docs/http/sys-rotate.html

Beforehand(0.4.5) token addition to the header was conditional on it having a value.

With commit 1e8fcf3 that stopped happening.

We need to be able to perform requests without a token, to authenticate yourself with other methods for example.

However the following error occurs when updating to the latest version and probably all versions where commit 1e8fcf3 lies in.

< uncaughtException:  Error: "value" required in setHeader("X-Vault-Token", value)
<     at ClientRequest.OutgoingMessage.setHeader (_http_outgoing.js:342:11)
<     at new ClientRequest (_http_client.js:85:14)
<     at Object.exports.request (http.js:31:10)
<     at Request.start (/Users/mlopes/workspace/expedia/ewe/applications/cloudtoolbox-web/node_modules/request/request.js:801:30)
<     at Request.write (/Users/mlopes/workspace/expedia/ewe/applications/cloudtoolbox-web/node_modules/request/request.js:1466:28)
<     at end (/Users/mlopes/workspace/expedia/ewe/applications/cloudtoolbox-web/node_modules/request/request.js:528:18)
<     at /Users/mlopes/workspace/expedia/ewe/applications/cloudtoolbox-web/node_modules/request/request.js:552:9
<     at _combinedTickCallback (internal/process/next_tick.js:67:7)
<     at process._tickDomainCallback (internal/process/next_tick.js:122:9)

Thank you very much in advance =]

perhaps I'm being immensely dense this morning, but how would I go about creating a token ? I can't seem to find a method to do so

I can get a list of auths from my vault (app-id and token), but how do I actually create a new token ?

thanks

On an error with the response we are dumping the response object as part of the error.

This often leads to the request headers being printed to console, or worse logged in whatever system people use with a potential valid token in the message.

As titled. Any plans yet?

• Use Tagged template literals instead mustache
• Use r2 instead of full-blown request + request-native-promise package
• Use ES6 syntax
• Provide packages for different Auth backends
• Provide better documentation

I will help you to reach the goals.

Hi,

I need to get my secret on my separate host vault server setup but after I perform vault.userpassLogin({ username, password }) I got this error.

(node:33152) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): Error: authentication backends cannot create root tokens

I want to refactor this package to use Javascript in favour of Coffeescript.
Hey folks, what you think?

As the title says, is there support for auth/approle? I have checked through the features page and it seems only auth/token is present.

It doesn't matter whether tests fail or not, docker-compose exits with exit code 0.

docker/compose#3379

I tried fixing it with no luck:

• added tty: true -- tests hang when done
• changed cmd to sh -c 'npm test; exit $? -- docker-compose still swallowed it

Consider this code:

const result = await this.vault.write(
    '/totp/keys/[email protected]',
    {
        url: 'otpauth://totp/SecSys:[email protected]?issuer=SecSys&secret=somesecret',
        requestOptions: {
            followAllRedirects: true
        }
    }
);

It works as expected when performing the request from, say, Postman, but always return "Status 301" when I call it from node-vault.

I'm pretty sure that Vault initialized and running. All GET request work as usual. Maybe it's somewhat related to #23

node-vault 0.9.5

Hi All,

Is there any way to specify the which RooT/Trusted intermediate CA certificate to use in communication to Vault API endpoint ?

PS: Looking at the code I used VAULT_SKIP_VERIFY=true to avoid checking just for development/testing purposes but in production I need to verify the Vault endpoint is trusted one.

Regards,
Constantin

There is no support for LDAP login like the userpassLogin() works. It could be another entry in commands.js, I think.

It makes sense to be able to send custom HTTP headers to Vault so that they can be included in vault audit logs. These headers can include additional metadata to be tracked in audit logs.

Usage scenario: application running in docker container when requesting credentials from vault ca n post, for instance two custom headers like 'X-Application-Name: app-name' and 'X-Application-Version: 1.0.0' which will appear in vault audit logs.

Via API (curl) this can be done as:

curl -sk -H "X-Vault-Token: <token>" -H "X-Application-Name: app-test" -X GET https://***.****.***:8200/v1/secret/custom 

Then in audit logs we can capture something like:

    "request": {
      "id": "ef5e02ca-b9ae-8846-6835-1c91168890c3",
      "operation": "read",
      "client_token": "hmac-sha256:911623f1a0e5dfd31368c107b62782dc1375dd28a20f01068df69a1187f4891f",
      "client_token_accessor": "hmac-sha256:c9336f259dc9201577f7fb8efebcdfa74497f4a66afd108df888b293e73f605b",
      "path": "secret/custom",
      "data": null,
      "remote_address": "172.19.0.28",
      "wrap_ttl": 0,
      "headers": {
        "x-application-name": [
          "app-test"
        ]
      }

This will allow to track from which application the request came from. At the moment the audit logs include source IP which doesn't help.

I have a vault server running at localhost:8200

going through the example code is giving me the Error: Vault is already initialized

var vault = require("node-vault")();

vault.init({ secret_shares: 1, secret_threshold: 1 })
.then((result) => {
  console.log(result);
  vault.token = result.root_token;
  const key = result.keys[0];
  return vault.unseal({ secret_shares: 1, key });
})
.catch(err => console.error(err));

this also doesn't work for me

var vault = require("node-vault")();

vault.initialized()
.then((result) => {
  console.log(result); // { initialized : true }
  return vault.init({ secret_shares: 1, secret_threshold: 1 });
})
.then((result) => { // doesn't resolve because vault is already initialized
  console.log(result);
  vault.token = result.root_token;
  const key = result.keys[0];
  return vault.unseal({ secret_shares: 1, key });
})
.then(console.log)
.catch((err) => console.error(err.message));

how do i get the root_token?

I am using boostport/kubernetes-vault
so i do have access to the vault-token.

{
   "clientToken":"91526d9b-4850-3405-02a8-aa29e74e17a5",
   "accessor":"476ea048-ded5-4d07-eeea-938c6b4e43ec",
   "leaseDuration":3600,
   "renewable":true,
   "vaultAddr":"https://vault:8200"
}

is there a way i can read vault secrets with the clientToken?

var vault = require("node-vault")({
  token : clientToken,
  endpoint : vaultAddr
});

vault.initialized()
.then((result) => {
  console.log(result); // { initialized : true }
  return vault.read('database/config/prod-pg');
})
.then(dbConfig => {
  console.log('DB Config', dbConfig);
})
.catch((err) => console.error(err.message)); // Error: permission denied

returns Error: permission denied

I'm wondering if there are docs to

• explain real-world usage scenarios for on-boarding and authenticating new teammates, as well as that if that process is automatable
• whether or not this is in memory or connecting to a hosted Vault backend, along with tradeoffs of each

Is there any plan to support promises instead of callbacks for this project?

Can bluebird dependency be removed and use native promise instead? I tried to set promise in config but bluebird is still getting installed.

This package stopped working on latest vault k/v store and I think it has something to do with the new versioning feature in Vault.

hashicorp/vault#4281

How to combine this node client with plugins like MongoDB Database Plugin? I'd like to use it but I can't see any docs about that.

Hello,

Would like to know how can we override the default timeout of 30 seconds ?

Thank you

Sincerely,
Manjiri

Well, I'm trying to use the unseal() method , but when I do, I get the message

 { [Error: Vault is sealed] statusCode: 503, statusMessage: 'Service Unavailable' }

yes, well, I agree - that's why I am trying to unseal it ;)

According to the Vault docs for logging in with AppRole, it appears that the secret_id is not always required if bind_secret_id=false against the AppRole.

However, we get the following error: Missing required property: secret_id.

Repro code:

const NodeVault = require("node-vault");

const vault = NodeVault({ apiVersion: "v1", endpoint: process.env.VAULT_URL });

vault
  .approleLogin({ role_id: 'ebadc783-4b12-e465-3f84-3490d297c88d', requestOptions: { followAllRedirects: true } })
  .then(result => console.log(result))
  .catch(err => console.error(err));

This produces the following output:

{ Error
    at new ValidationError (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:1461:12)
    at ValidatorContext.createError (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:359:14)
    at ValidatorContext.validateObjectRequiredProperties (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:993:22)
    at ValidatorContext.validateObject (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:960:11)
    at ValidatorContext.validateAll (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:603:11)
    at Object.validate (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:1573:24)
    at validate (/Users/rlew/Desktop/node-vault-repro/node_modules/node-vault/src/index.js:138:23)
    at Object.client.(anonymous function) [as approleLogin] (/Users/rlew/Desktop/node-vault-repro/node_modules/node-vault/src/index.js:172:14)
    at Object.<anonymous> (/Users/rlew/Desktop/node-vault-repro/node-vault-repro.js:6:4)
    at Module._compile (module.js:635:30)
  message: 'Missing required property: secret_id',
  params: { key: 'secret_id' },
  code: 302,
  dataPath: '',
  schemaPath: '/required/1',
  subErrors: null,
  stack: 'Error\n    at new ValidationError (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:1461:12)\n    at ValidatorContext.createError (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:359:14)\n    at ValidatorContext.validateObjectRequiredProperties (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:993:22)\n    at ValidatorContext.validateObject (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:960:11)\n    at ValidatorContext.validateAll (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:603:11)\n    at Object.validate (/Users/rlew/Desktop/node-vault-repro/node_modules/tv4/tv4.js:1573:24)\n    at validate (/Users/rlew/Desktop/node-vault-repro/node_modules/node-vault/src/index.js:138:23)\n    at Object.client.(anonymous function) [as approleLogin] (/Users/rlew/Desktop/node-vault-repro/node_modules/node-vault/src/index.js:172:14)\n    at Object.<anonymous> (/Users/rlew/Desktop/node-vault-repro/node-vault-repro.js:6:4)\n    at Module._compile (module.js:635:30)' }

This means that we are unable to use node-vault with AppRoles that do not require a secret_id using node-vault.

I was wondering if you could change tokens after opening a vault session by setting the "token" property. Is this supported ?

The call to validate happens as part of my application health check monitoring. I am going to temporarily take it out until a more long term solution is found. If there is a workaround please let me know.

We are using version 0.6.1 and I am going to try updating the library first, in case this was fixed already.

It took me awhile to get to the bottom of why my process was crashing, but here is the stack trace (I spared you the middle 20000 lines :) ):

unhandledRejection:Maximum call stack size exceeded stack:RangeError: Maximum call stack size exceeded
    at isPlainObject (/app/node_modules/extend/index.js:14:43)
    at extend (/app/node_modules/extend/index.js:64:27)
    at extend (/app/node_modules/extend/index.js:73:22)
    at /app/node_modules/request/index.js:89:5
    at /app/node_modules/request/index.js:101:12
    at /app/node_modules/request/index.js:101:12
  ...
    at /app/node_modules/request/index.js:101:12
    at /app/node_modules/request/index.js:101:12
    at /app/node_modules/request/index.js:101:12
    at /app/node_modules/request/index.js:101:12
    at /app/node_modules/request/index.js:101:12
    at /app/node_modules/request/index.js:101:12
    at /app/node_modules/request/index.js:101:12
    at Object.client.request (/app/node_modules/node-vault/src/index.js:79:12)
    at validate.then.then.then (/app/node_modules/node-vault/src/index.js:163:41)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:228:7)```

Currently if you use a self-signed certificate, I don't see an easy way to use this with node-vault. The only way seems to be:

var https = require('https');
https.globalAgent.options = {
    rejectUnauthorized: false,
    ca: <string of ca>,
};

The Vault.prototype._handleCallback function seems to mangle the original options passed into individual requests before passing on to the request module.

We use node-vault version 0.9.0

Our application logs stack traces when connecting to vault and in the stack_trace I can see the clear text vaule of vault token which is a huge risk, can the token be masked or hidden somehow ?
Here is the example :

Unexpected error connecting to vault: { RequestError: Error: connect ETIMEDOUT <vault_ip_address>:<vault_port>
at new RequestError (/pmt-node-modules/node_modules/request-promise-core/lib/errors.js:14:15)
at Request.plumbing.callback (/pmt-node-modules/node_modules/request-promise-core/lib/plumbing.js:87:29)
at Request.RP$callback [as _callback] (/pmt-node-modules/node_modules/request-promise-core/lib/plumbing.js:46:31)
at self.callback (/pmt-node-modules/node_modules/request/request.js:185:22)
at emitOne (events.js:116:13)
at Request.emit (events.js:211:7)
at Request.onRequestError (/pmt-node-modules/node_modules/request/request.js:877:8)
at emitOne (events.js:116:13)
at ClientRequest.emit (events.js:211:7)
at TLSSocket.socketErrorListener (_http_client.js:401:9)
at emitOne (events.js:116:13)
at TLSSocket.emit (events.js:211:7)
at emitErrorNT (internal/streams/destroy.js:66:8)
at _combinedTickCallback (internal/process/next_tick.js:139:11)
at process._tickCallback (internal/process/next_tick.js:181:9)
name: 'RequestError',
message: 'Error: connect ETIMEDOUT <vault_ip_address>:<vault_port>',
cause:
{ Error: connect ETIMEDOUT <vault_ip_address>:<vault_port>
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1191:14)
errno: 'ETIMEDOUT',
code: 'ETIMEDOUT',
syscall: 'connect',
address: '<vault_ip_address>',
port: <vault_port>},
error:
{ Error: connect ETIMEDOUT <vault_ip_address>:<vault_port>
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1191:14)
errno: 'ETIMEDOUT',
code: 'ETIMEDOUT',
syscall: 'connect',
address: '<vault_ip_address>',
port: <vault_port>},
options:
{ json: true,
resolveWithFullResponse: true,
simple: false,
strictSSL: true,
path: '/secret/<path_to_secret>',
method: 'GET',
headers: { 'X-Vault-Token': '<vault_token_in_clear_text>' },
uri: 'https://<vault_address>:<vault_port>/v1/secret/<path_to_secret>',
callback: [Function: RP$callback],
transform: undefined,
transform2xxOnly: false },
response: undefined }

Since I upgraded from v0.9.3 to v0.9.4 I cannot run anymore the unseal function:

> vault.unseal({key: "secretvaluestrippedout" }).catch((err) => { if (err.message !== 'Whatever') {throw err;}})
Promise {
  <pending>,
  domain:
   Domain {
     domain: null,
     _events: { error: [Function: debugDomainError] },
     _eventsCount: 1,
     _maxListeners: undefined,
     members: [] } }
> (node:5465) UnhandledPromiseRejectionWarning: Error: EOF
    at handleVaultResponse (/tmp/node_modules/node-vault/src/index.js:49:21)
    at <anonymous>
    at process._tickDomainCallback (internal/process/next_tick.js:229:7)
(node:5465) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 8)

So, I've hastily put together a proof-of-concept. this isn't the prettiest code, but it works :)

Design goal: I'd like to use the VAULT AWS IAM Auth backend with node-vault. Specifically, so that I can use vault with aws lambda.

This would be so that I can setup an AWS IAM role tied to the lambda function, and then give that role access to vault policies.

because getting a aws4 signature is a bit more complex than something simple like github_login, there is a header construction, aws4 signature phase, and then a base64 encoding.

In lambda, I have this working code:

const vault = require('node-vault')({ endpoint: 'https://vault.example.io:8200' })
const role = process.env.IAM_ROLE_NAME || "vault-lambda-test-role"

exports.handle = (event, context, callback) => {
  vault.awsIamLogin(role)
  .then(result => {
    vault.token = result.auth.client_token
    return vault.read('secret/dev/parse')
  }).then(result => {
    callback(null, result)
  }).catch(error => {
    callback(error)
  })
}

and I added this to src/index.js:

var aws4 = require('aws4'); 
...

...
client.awsIamLogin = function (role, id) {
    debug('aws IAM login ' + role);
    var awsLoginBody = getSignedAWSLoginConfig(role, id)
    var options = Object.assign({}, config.requestOptions);
    options.path = '/auth/aws/login';
    options.method = 'POST';
    options.body = awsLoginBody;
    return client.request(options)
  }

  function getSignedAWSLoginConfig(role, id) {
    var body = 'Action=GetCallerIdentity&Version=2011-06-15';
    var url = 'https://sts.amazonaws.com/';
    var signedRequest;
    if (id) {
      signedRequest = aws4.sign({
        service: 'sts',
        headers: {'X-Vault-AWS-IAM-Server-ID': id},
        body: body
      });
    } else {
      signedRequest = aws4.sign({service: 'sts', body: body});
    }
    var headers = signedRequest.headers;
    var header;
    for (header in headers) {
      if (typeof headers[header] === 'number') {
        headers[header] = headers[header].toString()
      }
      headers[header] = [headers[header]]
    }
    return {
      role: role,
      iam_http_request_method: 'POST',
      iam_request_url: new Buffer(url).toString('base64'),
      iam_request_body: new Buffer(body).toString('base64'),
      iam_request_headers: new Buffer(JSON.stringify(headers)).toString('base64')
    }
  }

So - I guess my question is: where is the best place to put the specific aws boilerplate coded needed for IAM auth, any input or advice before I start prepping for a refactor and PR?

When using Vault via HTTPS with a certificated signed by a self-signed/non-trusted root, it is necessary to provide the root certificate when making the request. Rather than having to include requestOptions on every API call, it would be helpful to specify a default set of options in the client configuration. For example:

const options = {
  apiVersion: 'v1',
  endpoint: 'https://127.0.0.1:8200',
  requestOptions: {
    ca: fs.readFileSync('root.cer', 'utf8')
  }
}
vault(options).status().then(result => console.log(result))

It looks like this warning is happening in index.js:189:54 because the result of the validate call, which is a promise and not a function, is passed to then.

Not critical because the promise chain continues regardless, but it's unnecessary noise in the server logs :)