Vault Env package provides a dotenv like usage experience. User defines vault secrets with the .env file format. This package will pull the vault secrets into process.env.

npm install vault-secret-env

VaultEnv is like .env file and follows some of its basic rules:

• BASIC=basic becomes {BASIC: 'basic'}
• empty lines are skipped
• lines beginning with # are treated as comments

For example:

PORT=domain/data/cms/gm:PORT_NUMBER
PUBLIC_URL=domain/data/cms/gm:PUBLIC_URL_STR

DB_CLIENT=domain/data/cms/db:DB_CLIENT_TYPE
DB_DATABASE=domain/data/cms/db:DB_DATABASE_NAME
DB_HOST=domain/data/cms/db:DB_HOST_NAME
DB_PORT=domain/data/cms/db:DB_PORT_NUMBER
DB_SSL=domain/data/cms/db:DB_SSL_CERT

If the vault secret key name is identical to the environment variables, you can omit it. Below are the two identical configurations.

PORT=domain/data/cms/gm:PORT
PUBLIC_URL=domain/data/cms/gm:PUBLIC_URL

DB_CLIENT=domain/data/cms/db:DB_CLIENT
DB_DATABASE=domain/data/cms/db:DB_DATABASE
DB_HOST=domain/data/cms/db:DB_HOST
DB_PORT=domain/data/cms/db:DB_PORT
DB_SSL=domain/data/cms/db:DB_SSL

PORT=domain/data/cms/gm
PUBLIC_URL=domain/data/cms/gm

DB_CLIENT=domain/data/cms/db
DB_DATABASE=domain/data/cms/db
DB_HOST=domain/data/cms/db
DB_PORT=domain/data/cms/db
DB_SSL=domain/data/cms/db

VaultEnv file should put at the root of the project along with .env and package.json.

Use it just like dotenv package, as early as possible in your application, import or require vault-secret-env.

import 'vault-secret-env';

require('vault-secret-env');

Run the application with VAULT_ADDR and VAULT_ROOT_TOKEN

$ VAULT_ADDR=https://localhost:8000 VAULT_ROOT_TOKEN=MTIzNDU node app.js

Optionally specify the VAULT_TOKEN_ROLE and VAULT_TOKEN_ROLE_TTL to retrieve the vault secrets by token role and control the token TTL time.

$ VAULT_ADDR=https://localhost:8000 \
>  VAULT_ROOT_TOKEN=MTIzNDU \
>  VAULT_TOKEN_ROLE=power_user \
>  VAULT_TOKEN_ROLE_TTL=10s \
>  node app.js

This package also provides a simple cli to validate the VaultEnv settings.

$ npx vault-secret-env -a https://localhost:8000 -t MTIzNDU

Output

PORT : 8055 ✓
PUBLIC_URL : https://domain.com ✓
DB_CLIENT : pg ✓
DB_DATABASE : sdscms ✓
DB_HOST : db.domain.com ✓
DB_PORT : 5423 ✓
DB_SSL : false ✓

See more options by running with -h or --help.

$npx vault-secret-env --help
Usage: vault-secret-env [options]

Options:
  -V, --version                     output the version number
  -a, --address <url>               VAULT_ADDR, Vault server address, if not specified will try to retrieve it from the Node.js process environment
                                    variable.
  -t, --token <token>               VAULT_ROOT_TOKEN, root token.
  -tr, --token-role <role_name>     VAULT_TOKEN_ROLE, if specified, will try to retrieve the secrets with this role's token.
  -ttl, --token-role-ttl <seconds>  Time-to-Live for the role token. Default to be 60 seconds.
  -p, --path <path>                 Root path to locate VaultEnv file. Default to be current working directory of the Node.js process.
  -h, --help                        display help for command

The core functionality of this package has zero dependency on any third-party package and all built from scratch. It supports both vault kv version 1 and version 2. The implementation relys on nodejs api execFileSync.

To run the end-to-end test, you need to install vault dev server first, see here for more detail. The e2e test will spin up a vault dev server on port 8200, please ensure the port is not in-use before the test.

$pnpm test