Comments (16)
any progress with this?
from node-vault.
With the help of @rjrbt 's code, I was able to use his getSignedAWSLoginConfig
and the built in node-vault function node-vault.generateFunction
to come up with the following code that allows AWS IAM login without modifying the node-vault source code.
//VaultWrapper.js
const nv = require('node-vault');
const vault = nv({
apiVersion: 'v1',
endpoint: process.env.VAULT_ENDPOINT,
//debug: (...args) => console.log('[NodeVault]', args),
});
vault.generateFunction('awsIamLogin', {
method: 'POST',
path: '/auth/aws/login',
});
//NOTE: I'm using async/await
export const vaultLogin = async () => {
// check if we are already logged in and have a token
const postBody = await getSignedAwsLoginBody(); //role and request ID moved inside
const authResult = await vault.awsIamLogin(postBody);
vault.token = authResult.auth.client_token;
//Success, now you can call vault.read or .write
}
This would be a good thing to add to the readme. I additionally added some logic that uses STS to assume roles inside my getSignedAwsLoginBody
and signs the request with those credentials.
from node-vault.
@dublx great! Here's a list:
- I have a branch here which is a complete refactor of node-vault (see this pull request). It needs to be updated with all the changes, features, tests and bugfixes added in the previous version since I last worked on it. Also some tests and documentation must be added as I couldn't finish it.
- The branch I created for this feature (aws-auth) needs to be updated with the changes in the refactor branch.
- Tests and documentation must be created for this feature.
- Once all of this is done, it must be tagged and published onto NPM (v1.0).
- Would be nice to leave comments in open PRs to let authors know that the refactor has happened so that they can send the changes based on the new version instead of the outdated one.
Hope this is useful :)
from node-vault.
I am sorry I couldn't merge this back then. I keep convincing myself that I will be able to do it sometime soon but things keep getting complicated and my life keeps getting busier and busier so I can't really promise anything.
Would be happy to give some guidance to someone who can get it done.
Sorry @dvejmz I didn't see your message in time.
Hmu if you still can lend a hand and I'll guide you so we can finally get this merged. @kr1sp1n made me a maintainer a while ago so I would be able to merge it and publish it on NPM when it's done.
Keep in mind that all new changes added to the old version should be ported to the refactored branch too.
Thanks for your interest and sorry for my lack of replies. Life's complicated!
from node-vault.
@kr1sp1n, @rjrbt
Does it mean the current node-vault package has no way to auth against the Vault using the EC2 appRole and its pkcs#7? I did find auth
function but not sure what are valid values in requestOptions
.
This is what I do on CLI that needs to be done using the `node-vault:
vault write auth/aws-ec2/login role='reader' nonce='086ec704-311a-4111-8190-418bc6e0ab57' pkcs7=$(curl --noproxy 169.254.169.254 --silent --fail http://169.254.169.254/latest/dynamic/instance-identity/pkcs7
| tr --delete "\n")
from node-vault.
After working on a massive refactor of the project, I also implemented automatic AWS EC2 IAM
login in this branch of mine (PR coming soon). Check the implementation to know the details. Documentation coming soon as well. It basically extracts all the info from the EC2 instance metadata service
to generate the STSGetCallerIdentity
signed request. Important: the vault role will have the same id (name?) than the aws role. For example if your aws role is named db-admin-role
, the vault role will need to be named db-admin-role
as well (and be binded to the aws role as described in the Vault documentation).
Suggestions?
The interface is:
const awsVault = require('node-vault').awsAuth()
const stuff = async () => {
const vault = await awsVault
await vault.write('secret/something', { value: 'somevalue' })
console.log(await vault.read('secret/something'))
}
As the exported .awsAuth()
method returns a Promise that fulfills with an authenticated vault
client.
I am exploring how to make something like require('node-vault/aws-auth')
possible.
from node-vault.
Also automatic environment detection (if the platform is EC2
, lambda
or ECS
) would be a nice idea, to support all types of AWS "inferred" authentication out of the box. Currently only EC2 IAM
is supported, so if this runs on lambda, for example, it will crash.
from node-vault.
Not sure whether to support EC2 + PKCS#7
(not IAM
) auth as well. I'm not sure we can detect that. Maybe we could first try EC2 IAM
and fallback to EC2 PKCS#7
if the former fails.
from node-vault.
Any progress on this? I'm really interested in having this feature incorporated into node-vault
. I've seen @DaniGuardiola has made some headway in his own branch. What's left to be done to merge @DaniGuardiola 's branch in? I'm happy to lend a hand.
from node-vault.
Hello @dvejmz!
Well before merging the AWS branch, the main refactored branch must be merged (#78), take a look at that PR. Mainly I need to finish documentation and improve the tests. Then I will be able to publish the first major version to NPM and we can work on AWS and other stuff from there.
Would you be able to help with this?
from node-vault.
@DaniGuardiola yeah, I'd be happy to help, what's the best place for me to start? If there's an IRC channel or similar I can get on to to discuss this, I can do that too.
from node-vault.
so is this proposal dead, since the refactoring wasn't merged and DaniGuardiola hasn't the time anymore?
from node-vault.
Would be great to have this feature available.
What needs to be done, I could try to help.
from node-vault.
A re-write is cool, but it should be done in stages so people aren't blocked from contributing. The above PR was opened in 2018 and probably isn't happening (going from comments in the PR). So, maybe a requirement to port any changes to the new branch is too strict and the work of porting new changes should fall on the side of the branch that does the refactor?
from node-vault.
Totally agree, it felt overwhelming & I didn't have time to go do it.
from node-vault.
Is this code taking care of assumeRole ?
from node-vault.
Related Issues (20)
- Missing 'rewrap' and 'keys' command HOT 1
- Use root token always get 404 response code HOT 3
- V2 KV engine support HOT 1
- Missing ldapLogin from index.d.ts HOT 2
- Missing certificate authentication mechanism HOT 1
- Add example of transit secret usage. HOT 1
- How to unseal a vault that is already initialized? HOT 2
- unable to write new secrets HOT 2
- Vault.write overwrite old secret to new HOT 1
- Vulnerability in request library HOT 2
- Update dependencies HOT 1
- Create npm deployment CI mechanism
- Next release inquiry HOT 2
- SSL Error After Upgrading Application To Node 18 HOT 4
- Add support for KV v2 "destroy" command
- Import error on index.d.ts HOT 2
- [Question] Generate certs
- How to create ACL Policy?
- Question - is there a way to read a versioned secret ?
- WARNING : node-vault > postman-request > [email protected]: this library is no longer supported
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-vault.