Vault
Vault is a tool providing services for securely storing and managing secrets. A secret can be anything sensitive that needs to be tightly controlled and accessed, such as credentials, API keys, sensitive data, etc.
General Information
We are using vault with file storage, which means that the secrets are encrypted and stored in files. All the secrets are stored under paths e.g. <vault_url>/secret/secret1. By default, only the admin user has access rights to all path. If we need to give access to someone else to write or read a secret from a specific path, we need to provide him a token, which lasts a certain amount of time. After the token is expired, it cannot be used again unless it is renewed.
Setup
Initialising the Vault
Before start using vault, it should be initialised. To initialise the vault, we need to provide two arguments, the number of keys that will be generated during the initialisation process (secret_shares) and the number of keys that the vault will need to get unsealed (secret_threshold).
The initialisation process will return the keys and a root token. The root token is used by our platform to perform all the necessary actions, like reading, writing secrets and creating tokens for other users.
Unsealing the Vault
The vault can be either sealed or unsealed. If the status is sealed, it means that the vault is locked and no secrets can be read or written to it. This is because, the vault needs the keys that are created during the initialisation process in order to decrypt the files. Providing the necessary number of keys, the vault status changes to unsealed.
Available Services
The following services are available in our vault package:
getStatus
Return if the vault is initialized or not.
getSealStatus
Returns if the vault is sealed or unsealed.
unsealVault
Unseals the vault.
| Param | Type | Description |
|---|---|---|
| key | string | The key that was generated during the initialization process |
createSecret
Writes a secret under a specific path.
| Param | Type | Description |
|---|---|---|
| organization | string | The organization name of the user |
| user | string | The username of the user |
| secretName | string | Name of the secret |
| data | any | Sensitive data that will be stored under the path: organization/user/secretName |
getSecret
Reads a secret from a specific path.
| Param | Type | Description |
|---|---|---|
| organization | string | The organization name of the user |
| user | string | The username of the user |
| secretName | string | Name of the secret |
| clientToken | string | The vault token that has read access to the specific path |
updateSecret
Updates a secret under a specific path.
Same parameters as the createSecret service.
deleteSecret
Deletes a secret from a specific path.
| Param | Type | Description |
|---|---|---|
| organization | string | The organization name of the user |
| user | string | The username of the user |
| secretName | string | Name of the secret |
secretExists
Returns if a secret exists under a specific path.
Same parameters as the deleteSecret service.
createToken
Creates a token to read a secret from vault.
Same parameters as the deleteSecret service.
renewToken
Renews a token’s lease, extending the amount of time it can be used.
| Param | Type | Description |
|---|---|---|
| token | string | The vault token that will be renewed |
revokeToken
Revokes a token.
| Param | Type | Description |
|---|---|---|
| token | string | The vault token that will be revoked |