如何使用Hashicorp Vault访问node.js中的机密
[英]How to access secrets in node.js with Hashicorp Vault
问题描述
I have just set up Vault from Hashicorp on my Ubuntu 18.04 backend server. 
我刚刚在Ubuntu 18.04后端服务器上从Hashicorp设置了Vault。 It runs a node.js backend server which used to use environment variables to store data for the MySQL database. 它运行一个node.js后端服务器,该服务器用于使用环境变量来存储MySQL数据库的数据。 However, I figured this was unsecure, hence why I changed to Vault. 但是,我认为这是不安全的,因此为什么我改为使用保险柜。 I have now stored all secrets inside the Vault and I can access it in my node.js application like this: 现在,我已将所有机密存储在Vault中,可以在我的node.js应用程序中访问它,如下所示:
const rootKey = "hidden"
const unsealKey = "alsohidden"
var options = {
apiVersion: 'v1',
endpoint: 'https://url.com:8200',
token: rootKey
};
var vault = require("node-vault")(options);
vault.unseal({ key: unsealKey })
.then(() => {
vault.read('secret/db_host')
.then((res) => console.log("result:",res.data.value))
.catch((err) => console.error("error:",err));
});
This results in the correct host address printed in my console logs. 这样可以在我的控制台日志中打印正确的主机地址。 However, this leaves me with two questions: 但是,这给我留下了两个问题:
1. How can I use the retrieved information in my MySQL connection? 1.如何在MySQL连接中使用检索到的信息? I currently do this with the environment variables: 我目前使用环境变量执行此操作:
var pool = mysql.createPool({
connectionLimit: 100,
host: process.env.DB_HOST, // how can I call the vault variables here?
user: process.env.DB_USER,
password: process.env.DB_PASS,
database: process.env.DB_BASE,
ssl : {
ca : fs.readFileSync('hidden'),
key : fs.readFileSync('hidden'),
cert : fs.readFileSync('hidden'),
},
dateStrings: true
});
2. If I store the rootKey and unsealKey as constants in my node.js application, what's the point of secrecy? 2.如果将rootKey和unsealKey作为常量存储在我的node.js应用程序中,保密的重点是什么? I figure there should be a way to handle this properly, because there is not much different now as to just store the credentials in my .js file straight away.. 我认为应该有一种正确处理此问题的方法,因为现在将凭据直接存储在我的.js文件中并没有太大区别。
1 个解决方案
解决方案1
2 2019-02-13 08:15:03
You shouldn't use your root key to access secrets. 您不应该使用根密钥来访问机密。 Vault provides several authentication methods . 保险柜提供了几种身份验证方法 。 For example - user-pass pairs, github authentication (using token), LDAP, k8s and more... 例如-用户通行对,github身份验证(使用令牌),LDAP,k8s等...
Using one of the authentication method you will get a vault token with a policy . 使用一种身份验证方法,您将获得带有策略的Vault令牌。 This policy will allow you the access only your relevant secrets. 此策略将仅允许您访问您的相关机密。
Another great place to read about Vault: Learn Vault 另一个了解保险柜的好地方: 学习保险柜
If you are using kubernetes you can read this guide and this one 如果你正在使用kubernetes你可以阅读本指南 ,这一个
edit: regarding the first question, it depends on how you decide to load the secrets - you can load them from file, from process.env or directly set them using node-vault package. 编辑:关于第一个问题,取决于您决定如何加载机密-您可以从文件,从process.env加载机密,或使用node-vault软件包直接设置机密。 I personally write them to file from a different process and load them to process.env with dotenv package. 我个人将它们从其他进程写入文件,然后使用dotenv软件包将它们加载到process.env。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.