Bootstrap FreeKB - Hashicorp Vault - Display a secrets keys and values using Node.js
Hashicorp Vault - Display a secrets keys and values using Node.js
Updated:   |  Hashicorp Vault articles

This assumes you are familiar with the Python hvac client. If not, check out my article Hashicorp Vault - Getting Started with Python hvac.

This assumes the following has already been done.

Let's say the secrets engine has been enabled with -path=secret/

~]# vault secrets enable -path=secret/ kv
Success! Enabled the kv secrets engine at: secret/

 

And let's say approle has been enabled and there is a role named "my-role" and contains a policy named "my-policy".

~]$ vault read auth/approle/role/my-role
Key                        Value
---                        -----
policies                   [my-policy]

 

In this example, since the secrets engine has been enabled with -path=secret/ the policy path will need to begin with secret/

Let's say "my-policy" permits the following capabilities to "secret/my_path/*".

~]$ vault policy read my-policy
path "secret/my_path/*" {
  capabilities = ["create", "delete", "list", "patch", "read", "update"]
}

 

In this scenario, you would first login to Hashicorp Vault.

  • Login to Hashicorp Vault using approle auth in Node.js
  • Login to Hashicorp Vault using token auth in Node.js

In this example

  • secret/my_path/metadata is used here since my-policy has secret/my_path
var options = {
  apiVersion: 'v1',
  endpoint: 'https://vault.example.com',
  token: hvs.CAESIGQw4N7647TsPLwr0c7k3OME4pOE3_SV1CdgtO6edTSIGiUKHGh2cy5oR0xoR25IeG1ySHpiNUhIU0hmRzNoTVoQgKCBCRgI
};
var vault = require("node-vault")(options);

vault.list('secret/my_path/metadata')
  .then(console.log)

 

Something like this should be returned. In this example, there are two secrets at secret/my_path/, my_first_secret and my_second_secret.

{
  'request_id': 'd0e769b7-7c2b-c0b0-3606-033ba351461f', 
  'lease_id': '', 
  'renewable': False, 
  'lease_duration': 0, 
  'data': {
    'keys': [
      'my_first_secret', 
      'my_second_secret'
    ]
  }, 
  'wrap_info': None, 
  'warnings': None, 
  'auth': None
}

 

Here is how you can return the keys in my_first_secret.

var options = {
  apiVersion: 'v1',
  endpoint: 'https://vault.example.com',
  token: hvs.CAESIGQw4N7647TsPLwr0c7k3OME4pOE3_SV1CdgtO6edTSIGiUKHGh2cy5oR0xoR25IeG1ySHpiNUhIU0hmRzNoTVoQgKCBCRgI
};
var vault = require("node-vault")(options);

vault.read('secret/my_path/data/my_first_secret')
  .then(response => {console.log(response)})

 

Which should return something like this.

{
  request_id: '8ea42cdb-4256-f46d-c3f6-632f58d41e68',
  lease_id: '',
  renewable: false,
  lease_duration: 0,
  data: {
    data: {
      first_key: 'foo',
      second_key: 'bar'
    },
    metadata: {
      created_time: '2024-07-09T12:43:18.688362303Z',
      custom_metadata: null,
      deletion_time: '',
      destroyed: false,
      version: 2
    }
  },
  wrap_info: null,
  warnings: null,
  auth: null,
  mount_type: 'kv'
}

 

Almost always, you are going to want to catch errors, for example, if the secret being fetched does not exist.

var options = {
  apiVersion: 'v1',
  endpoint: 'https://vault.example.com',
  token: hvs.CAESIGQw4N7647TsPLwr0c7k3OME4pOE3_SV1CdgtO6edTSIGiUKHGh2cy5oR0xoR25IeG1ySHpiNUhIU0hmRzNoTVoQgKCBCRgI
};
var vault = require("node-vault")(options);

vault.read('secret/my_path/data/my_first_secret')
  .then(response => {
    console.log(response)
  })
  .catch(err => {
    console.error(err)
  })

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 0144c7 in the box below so that we can be sure you are a human.