hashicorp / vault-lambda-extension

Mozilla Public License 2.0
136 stars 29 forks source link

How to use Vault Lambda extension with Lambda nodejs function #44

Closed bakshigit closed 2 years ago

bakshigit commented 3 years ago

Sorry, but i am still not able to access the vault extension from my nodejs Lambda code .

Here are the steps :

Step1 - Deploy the extension layer with below command curl --silent https://releases.hashicorp.com/vault-lambda-extension/0.4.0/vault-lambda-extension_0.4.0_linux_amd64.zip --output vault-lambda-extension.zip export REGION="us-east-1" aws lambda publish-layer-version --layer-name vault-lambda-extension --zip-file "fileb://vault-lambda-extension.zip" --region "${REGION}"

Step 2 - Create a simple node js 14.x small code snippet as below

const vaultAuthClient = require('vault-lambda-extension'); exports.handler = async (event) => { const results = await vaultAuthClient.get('https://jsonplaceholder.typicode.com/todos/1') return results.data };

When i try to execute with all the defined ENVIRONMENT VARIABLES , get the below error { "errorType": "Runtime.ImportModuleError", "errorMessage": "Error: Cannot find module 'vault-lambda-extension'\nRequire stack:\n- /var/task/index.js\n- /var/runtime/UserFunction.js\n- /var/runtime/index.js", "trace": [ "Runtime.ImportModuleError: Error: Cannot find module 'vault-lambda-extension'", "Require stack:", "- /var/task/index.js", "- /var/runtime/UserFunction.js", "- /var/runtime/index.js", " at _loadUserApp (/var/runtime/UserFunction.js💯13)", " at Object.module.exports.load (/var/runtime/UserFunction.js:140:17)", " at Object. (/var/runtime/index.js:43:30)", " at Module._compile (internal/modules/cjs/loader.js:1085:14)", " at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)", " at Module.load (internal/modules/cjs/loader.js:950:32)", " at Function.Module._load (internal/modules/cjs/loader.js:790:14)", " at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12)", " at internal/main/run_main_module.js:17:47" ] }

If we remove all ENVIRONMENT VARIABLES then we get a different error START RequestId: 71fafd10-1dc6-44b0-9805-8add9e4597b9 Version: $LATEST 9bac0152-7c2e-4a14-95e9-f6f254f87067[vault-lambda-extension] 2021/07/14 21:15:16 Initialising [vault-lambda-extension] 2021/07/14 21:15:16 missing VLE_VAULT_ADDR, VAULT_ADDR, VAULT_AUTH_PROVIDER or VAULT_AUTH_ROLE environment variables EXTENSION Name: vault-lambda-extension State: Registered Events: [INVOKE,SHUTDOWN] END RequestId: 71fafd10-1dc6-44b0-9805-8add9e4597b9 REPORT RequestId: 71fafd10-1dc6-44b0-9805-8add9e4597b9 Duration: 3131.75 ms Billed Duration: 3000 ms Memory Size: 128 MB Max Memory Used: 20 MB RequestId: 71fafd10-1dc6-44b0-9805-8add9e4597b9 Error: exit status 1 Extension.Crash

Let me what can be wrong and if you can point to some sample code which shows a nodejs Lambda function using vault lambda extension to pull secrets

Thanks in advance

tomhjp commented 3 years ago

Hi @bakshigit, I'm afraid I'm not aware of any NodeJS examples. You are closer to having it working in the first example, but the problem is const vaultAuthClient = require('vault-lambda-extension');. The vault-lambda-extension doesn't provide you with a Vault client, it only provides an unauthenticated proxy server for Vault, available at http://127.0.0.1:8200.

To query the proxy server, you might like to use a library such as this: https://www.npmjs.com/package/node-vault-client. Working off of that library's sample code, your Lambda code might do something like:

const VaultClient = require('node-vault-client');

const vaultClient = VaultClient.boot('main', {
    api: { url: 'http://127.0.0.1:8200/' },
});

vaultClient.read('secret/tst').then(v => {
    console.log(v);
}).catch(e => console.error(e));

Alternatively, you could instead use a bare HTTP client library, in which case the secret engine API documentation will be useful.