Search code examples
node.jshashicorp-vaultgithub-token

Why am I getting permission denied error when trying to read hasicorp vault in Node JS via github token authentication

The auth method used for the vault in my company's organization is via guthub token. This authentication method has already been used by some of the scala projects in the company. They are successfully able to use the authentication method to read the secrets.

This is the scala piece of code

 val vaultConfig = new VaultConfig().address(VaultAddress).build()
    val apiToken = new Auth(vaultConfig).loginByGithub(githubToken).getAuthClientToken

    val configWithToken: VaultConfig = new VaultConfig().address(VaultAddress).token(apiToken).build()
    new Vault(configWithToken)

Now we are integrating vault in one of the new NodeJS projects. So far I have written this piece of code by using the library node-vault

const vault = require("node-vault")({
    apiVersion: "v1",
    endpoint: "vaultURL",
  });

const GITHUB_TOKEN = '';

const run = async () => {
 try {
  const result = await vault.githubLogin({ token: GITHUB_TOKEN });
  
  vault.token = result.auth.client_token;
  console.log('Client Token', vault.token);

  const { data : returnValue }  = await vault.read("some path"); 
    const { data } = returnValue;
    const { keys } = data;
    console.log("myKeys", keys);
 } catch (error) {
   console.log(error.message);
 }
};

run();

The authentication works perfectly, I'm getting the client token. But Im not able to read the secrets in the path that I give. Note Im able to see the secrets of the same path through UI. but the code gives permission denied error.

What is it that I'm missing? Please note that Im a beginner to both node js and hashicorp vault. The documentation of node-vault is not helping.

Any help would be appreciated. Any helpful reading material or tutorial.

Solution

  • On searching over the internet I found that It might have something to do with the vault policy settings. So, I was finally able to get this thing to work, I had to append data in the path for a successful read from the vault. Because data was in-fact appended with the path when I looked into the organisation's policy document.

    const vault = require("node-vault")({
    apiVersion: "v1",
    endpoint: "vaultURL",
  });

const GITHUB_TOKEN = '';

const run = async () => {
 try {
  const result = await vault.githubLogin({ token: GITHUB_TOKEN });
  
  vault.token = result.auth.client_token;
  console.log('Client Token', vault.token);

  const { data : { data } }  = await vault.read("root/data/path");  // <---- important
    console.log('data', data);
 } catch (error) {
   console.log(error.message);
 }
};

run();

    My original path was secret/apiKey

    Had to use secret/data/apiKey

    For reference take a look at this answer on github.