# Vault

Category: Security
|
Runtime: 0.9+
|
Available: Free

# Overview

Vault node by Kumologica integrates seamlessly with HashiCorp Vault (opens new window) secret engine. Enabling to store and retrieve secrets from Vault that can be used anywhere in your flows.

This node works with Vault REST API and it supports the following operations:

  • Read
  • Write
  • Delete

# Setup

# Prerequisites

For Vault node to work properly, you need to have a valid installation of Vault running and http/s access available.

# Installation

By default, the node is not available in the palette.
To install the node :

  1. Go to Add more nodes option on the palette section.
  2. Check for the Vault node and click install.
  3. Once installed, the designer is required to be restarted.

# Technical Details

Properties

  • Protocols (Optional)
    HTTP and HTTPs supported.
  • Host (Required)
    Hostname of HashiCorp Vault server.
  • Port (Required)
    Port number of HashiCorp Vault server.
  • Auth Type (Optional)
    Auth Type is the auth method used for authenticating with Vault server. Supports Token, App Role and Username & Password.
  • Auth Token (Optional)
    Root token provided by the Vault server when using token based auth method.
  • Role Name (Optional)
    Role name created in Vault server when using app role based auth method.
  • User Name (Optional)
    Username to be used when using Userpass auth method.
  • Password (Optional)
    Password to be used when using Userpass auth method.
  • Action (Optional)
    Operation to be selected over the key stored in HashiCorp Vault.
  • Data Path (Optional)
    Path of the key in HashiCorp Vault. Data path should be appended with /data/ for pointing to key location.
  • Data Value (Optional)
    Value to be stored against the key in HashiCorp Vault.

Vault node supports the following Auth Types.

Token
Token auth method is the default, built-in method for authenticating using a token. For more details (opens new window)

App Role
The approle auth method allows machines or apps to authenticate with Vault-defined roles. For more details (opens new window)

Username Password
Userpass auth method allows a user to authenticate against an username and password combination store in Vault. For more details (opens new window)

Throws
HashiCorp Vault node throws the following exception.

  • VaultInvalidDataPathError
  • VaultConnectingError
  • VaultInvalidTokenError
  • VaultInvalidRoleNameError
  • VaultInvalidWriteDataError

Returns

On successful execution, the result fetched from the data path from HashiCorp Vault will be stored in the msg.payload object in the following format: msg.payload.[name of the Vault node (space trimmed)].result.
For eg: If the name of the Vault node is fetch password, the result of successful execution will be stored as msg.payload.fetchpassword.result.

# Develop a Service

Link to video

# Instructions

  1. Drag a drop an EventListener node from the palette to the canvas. Open the settings, configure the following and Save.

    Display Name : POST /vault/key
    Event Source : Amazon API gateway
    Verb : GET
    URL : /vault/key
    
  2. Add the HashiCorp Vault node to the canvas. Open the settings, provide the following configuration and click Save.

    Display Name :  Vault
    Protocol : HTTP
    Host : localhost
    Port : 8200
    Auth Type : Token
    Auth Token : Root token from your Vault server
    Action : Read
    Data Path : /secret/data/mykey
    

    Note : mykey is the key that is added to Vault server.

  3. Wire the EventListener node to the Vault Node.

  4. Add a Logger node to the flow and set the Message as msg.payload.Vault.result to print the value fetched from the Vault server. Click Save.

  5. Add EventListener End node from the palette to the canvas. Open the settings, configure the following and Save.

    Payload : msg.payload.Vault.result
    
  6. Wire the Vault node to the EventListener End node.

# Try it

Sample Flow with Vault node