Open in app

Sign in

Write

Sign in

Store environmental variable in Nodejs Application Securely.

Dhiraj Kumar
5 min readOct 9, 2022

Every Developer and DevOps Engineer needs to take care how to secure Application and Infrastructure so that there is no chance of cyber attack.

Security plays an important role when are a DevOps Engineer, SRE Engineer and Application Engineer. Apart of those who have responsibility of Infrastructure and Application Security, everyone should have taken care of security.

In this post I am going to discuss how to store credentials securely. Credentials can be stored securely by using two types of services.

  • On Premises Service
  • Cloud Services

Vault is an opensource identity-based credentials and encryption management tool, which is used to store credentials and provide an unique token to every user to use credentials.

In this post i will use On-Premises Vault Service to store credentials securely. Below are the task which is included in this project.

  • Installation of Vault on RedHat 8.
  • Configuration of Vault Server
  • Stored Credentials in Vault Server
  • How to use Vault credentials in Nodejs Application.

Install Vault Using below Command:

sudo yum install -y yum-utilssudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.reposudo yum -y install vault

After successful installation of Vault Start the Vault server in Development mode.

When you have done the testing of Vault in development mode and now want to use in Production mode then configure Vault Server.

Configure Vault Server:

Enable Secret Engine

Go to Secrets then click on Enable new Engine, After that you will get Portal as below. Click on KV then click on Next.

Give name of Path of Secret Engine. If you want to do custom settings then click on Method Options and configure according to your use case otherwise click on Enable Engine by default.

Configure AppRole Auth Method

To Configure AppRole Auth Method, go to Access then click on Enable new method.

Click on AppRole then click on Next, give Path name of AppRole Method, if you want to configure according to your use case then click on method options otherwise create by default by clicking on Enable method.

Create Policy for Secret Access

To create policy for secret access, go to Policies then click on Create ACL ACL policy +.

Give Name of policy , define policy in json format after reviewing policy configuration , click on Create Policy.

Create AppRole for Node.js Application:

Run below command to create AppRole for application using vault CLI.

vault write auth/approle/role/node-app-role \
token_ttl=1h \
token_max_ttl=4h \
token_policies=readonly-kv-backend

Each AppRole has a RoleID and SecretID, much like a username and password. The application can exchange this RoleID and SecretID for a token, which can then be used in subsequent requests.

Get RoleID and SecretID:

Now we’ll fetch the RoleID pertaining to the node-app-role via the following command:

vault read auth/approle/role/node-app-role/role-id

Next we’ll fetch the SecretID using below command:

vault write -f auth/approle/role/node-app-role/secret-id

Make sure you store these values somewhere safe, as we’ll use them in our Node.js application.

Please note that it’s not safe to deliver SecretID to our applications like this. You should use response wrapping to securely deliver SecretID to your application. For the purpose of this demo, we’ll pass SecretID as an environment variable to our application.

vault write -f auth/approle/role/node-app-role/secret-id

To create secret using WebUI, click on secret engine where you want to store data then click on create secret. Add Key Value , you can add tags in metadata.

Create dummy Nodejs Application:

npm initnpm install node-vaultvim index.js

Put below data in index.js file.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

const vault = require(“node-vault”)({
apiVersion: “v1”,
endpoint: “http://<Vault API IP>:8200",});
const roleId = process.env.ROLE_ID;
const secretId = process.env.SECRET_ID;
const run = async () => {
const result = await vault.approleLogin({
role_id: roleId,
secret_id: secretId,
});
vault.token = result.auth.client_token; // Add token to vault object for subsequent requests.const { data } = await vault.read(“kv/data/demo”); // Retrieve the secret stored in previous steps.const databaseName = data.data.db_name;
const username = data.data.username;const password = data.data.password;
console.log({
databaseName,
username,
password,
});
};run();

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Then save it . After that run below command

npm installnode index.js

Finally you have configured Vault Server and used credentials in Nodejs Application.

If you have any doubt, query and suggestion then you can contact me using below medium.

LinkedIn:- https://www.linkedin.com/in/dhiraj-sharma/

Gmail: firsttalk26@gmail.com

Vault
Nodejs
Environment Variable Node
Security
Hashicorp Vault

--

--

Dhiraj Kumar

Written by Dhiraj Kumar

8 Followers

Expertise on Cloud Computing who has helped many startups to reduce cloud cost upto 40% based on business need. Focused to optimize development process.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams