Open in app

Sign in

Write

Sign in

Consuming Secrets from HashiCorp Vault using Node.js and Python

Matías Salinas
3 min readMar 15, 2023

--

we will explore how to consume secrets from HashiCorp Vault using Node.js and Python. We will cover the steps involved in setting up the Vault server, configuring the secrets engine, and accessing the secrets from the client applications.

What is HashiCorp Vault?

HashiCorp Vault is a secrets management tool that provides a secure way to store and manage sensitive information like passwords, API keys, and certificates. Vault stores the secrets encrypted, and only authorized users or applications can access them.

Setting up the HashiCorp Vault Server

Before we can consume secrets from Vault, we need to set up the Vault server. The following steps outline the process of setting up a Vault server:

  1. Install Vault: Download the latest version of Vault from the official HashiCorp website and install it on your server.
  2. Start the Vault Server: Start the Vault server using the following command:
vault server -dev

This starts a development server that is not suitable for production use, but it’s a good way to get started quickly.

  1. Set Up the Vault Environment: Configure the Vault environment by setting the VAULT_ADDR and VAULT_TOKEN environment variables. VAULT_ADDR is the URL of the Vault server, and VAULT_TOKEN is the authentication token used to access Vault.

Configuring the Secrets Engine

Once the Vault server is up and running, we need to configure the secrets engine. The secrets engine is responsible for managing and storing secrets. Vault supports multiple secrets engines, including Key/Value, AWS, and Azure.

For this article, we will use the Key/Value secrets engine. The following steps outline the process of configuring the Key/Value secrets engine:

  1. Create a Secrets Path: Create a new secrets path using the following command:
vault secrets enable -path=mysecrets kv

This creates a new secrets path called “mysecrets” using the Key/Value secrets engine.

  1. Add Secrets: Add some secrets to the “mysecrets” path using the following command:
vault kv put mysecrets/myapp db_username=myuser db_password=mypassword

This adds a new secret to the “mysecrets” path called “myapp” with the values “db_username=myuser” and “db_password=mypassword”.

Accessing Secrets from Node.js

Now that we have set up the Vault server and configured the secrets engine, we can access the secrets from our Node.js application. The following steps outline the process of accessing the secrets from Node.js:

1.- Install the Vault Node.js Client: Install the “node-vault” client using the following command:

npm install node-vault

2.- Connect to Vault: Connect to Vault using the following code:

const vault = require('node-vault')();
vault
  .userpassLogin({
    username: 'myusername',
    password: 'mypassword'
  })
  .then(result => {
    vault.token = result.auth.client_token;
  });

This code connects to the Vault server using the userpass authentication method.

3.- Get Secrets: Get the secrets using the following code:

vault
  .read('mysecrets/myapp')
  .then(result => {
    const username = result.data.db_username;
    const password = result.data.db_password;
    // Use the username and password to access the database
  });

This code reads the “myapp” secret from the “mysecrets” path and extracts the username and password values.

Accessing Secrets from Python

We can also access secrets from Vault using Python. The following steps outline the process of accessing secrets from Vault using Python:

1.- Install the Vault Python Client: Install the “hvac” client using the following command:

pip install hvac

2.- Connect to Vault: Connect to Vault using the following code:

import hvac
client = hvac.Client(url='https://vault.example.com', token='mytoken')

This code connects to the Vault server using the URL and token.

3.- Get Secrets: Get the secrets using the following code:

secrets = client.secrets.kv.v1.read_secret(path='mysecrets/myapp')
username = secrets['data']['db_username']
password = secrets['data']['db_password']
# Use the username and password to access the database

This code reads the “myapp” secret from the “mysecrets” path and extracts the username and password values.

Conclusion

In conclusion, consuming secrets from HashiCorp Vault using Node.js and Python is a straightforward process that involves setting up the Vault server, configuring the secrets engine, and accessing the secrets from the client applications. HashiCorp Vault provides a secure and efficient way to manage sensitive information, and its integration with Node.js and Python makes it a valuable tool for developers.

Vault
Hashicorp Vault
Nodejs
Python
Development

--

--

Matías Salinas
Matías Salinas

Written by Matías Salinas

170 Followers
48 Following

SRE | SOA-C02 | CKAD - CKA - CKS | AZ-104 | HCTA0-002 https://www.credly.com/users/matias-salinas/badges

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams