The NodeJS app should include three pages:
- Single window with an input panel (nothing else). Maybe a submit button.
- An error page providing instructions to contact someone
- A success window that displays the final payload, along with instructions on how to use
Workflow:
- User provides auth token to the NodeJS app
- If there is an error in authentication, display error page
- If successful, move to step 2
- Vault returns payload with session token or
client_token
- Parse client_token
- If there is no client_token, display error page
- If successful move to step 3
- NodeJS app uses session token to retrieve secret
- Vault returns payload โ which includes secret
- NodeJS app provides display of the payload (nicely formatted)
We use a GitHub personal token to login to Vault. The objective is to have Vault authenticate the user and confirm the identity. The Vault server is located at:
http://${VAULT_ADDR}:8200
The token value for the test is the following:
65fa29d416909e9867c794ae6792999f2d251aaa
(Please note: This is not a real token anymore)
Use Vault terminology to express that variable:
export VAULT_TOKEN="65fa29d416909e9867c794ae6792999f2d251aaa"
Here is a simple example of the curl command that allows for the call-in.
curl \
--data '{"token": $VAULT_TOKEN}' \
--request POST \
http://${VAULT_ADDR}:8200/v1/auth/github/login
This is a sample of the expected payload returned by the Vault server. The importance of this payload is the client_tokenas it allows for the next operation.
{
request_id: b7c7b5c5-e7be-29f7-e1ab-fabf3ebf5daf,
lease_id: ,
renewable: false,
lease_duration: 0,
data: null,
wrap_info: null,
warnings: null,
auth: {
client_token: s.j21DuIQZGnCWTbXwu2uD2kGq,
accessor: QWLtt05sTFB8sdSvrgrujLh7,
policies: [
default,
dev - policy
],
token_policies: [
default
],
identity_policies: [
dev - policy
],
metadata: {
org: interrupt - software,
username: gcdata - admin
},
lease_duration: 2764800,
renewable: true,
entity_id: 8dea795e-7f86-8dc9-3e3b-2c19ae49a833,
token_type: service,
orphan: true
}
}
Given the client_token
in the operation, the application is now able to request the secret located in the vault. The endpoint for that secret is different than above. The following is a sample curl
command to retrieve the secret:
curl \
--header "X-Vault-Token: s.j21DuIQZGnCWTbXwu2uD2kGq" \
http://${VAULT_ADDR}:8200/v1/secret/nodejs-app
This is the final payload to be displayed on page two of the NodeJS application:
{
request_id: b379471f-a2ef-03a0-0b4f-949745e62225,
lease_id: ,
renewable: false,
lease_duration: 2764800,
data: {
secret: OrgvU84XLJ6vnPrT50xyao05
},
wrap_info: null,
warnings: null,
auth: null
}