@datacules/agent-identity-store-vault 0.9.0 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +68 -0
- package/package.json +1 -1
package/README.md
ADDED
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<img src="../../../assets/logo.svg" alt="Agent Identity — by Datacules LLC" width="360"/>
|
|
3
|
+
</p>
|
|
4
|
+
|
|
5
|
+
# `@datacules/agent-identity-store-vault`
|
|
6
|
+
|
|
7
|
+
HashiCorp Vault KV v2 credential store for the agent-identity framework. Drop-in replacement for `MemoryCredentialStore`.
|
|
8
|
+
|
|
9
|
+
## Install
|
|
10
|
+
|
|
11
|
+
```bash
|
|
12
|
+
npm install @datacules/agent-identity-store-vault
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
## Usage
|
|
16
|
+
|
|
17
|
+
```typescript
|
|
18
|
+
import { VaultCredentialStore } from '@datacules/agent-identity-store-vault';
|
|
19
|
+
import { createRouterFromStore } from '@datacules/agent-identity';
|
|
20
|
+
|
|
21
|
+
const store = new VaultCredentialStore({
|
|
22
|
+
address: process.env.VAULT_ADDR!, // e.g. 'https://vault.acme.com'
|
|
23
|
+
token: process.env.VAULT_TOKEN!, // or use AppRole / Kubernetes auth
|
|
24
|
+
mountPath: 'secret', // KV v2 mount (default: 'secret')
|
|
25
|
+
pathPrefix: 'agent-identity/', // all credential secrets live under this path
|
|
26
|
+
});
|
|
27
|
+
|
|
28
|
+
const router = createRouterFromStore(store, rules, logger);
|
|
29
|
+
const resolved = await router.resolveAsync(ctx);
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
## What it does
|
|
33
|
+
|
|
34
|
+
- **`findByRef(ref)`** — reads `<mountPath>/data/<pathPrefix><ref>` from Vault KV v2.
|
|
35
|
+
- **`reserve(ref, migrationId, ttl)`** — writes a lease to Vault to lock a credential for migration.
|
|
36
|
+
- **`release(ref, migrationId)`** — deletes the lease.
|
|
37
|
+
- **`listActive()` / `listByKind()`** — lists secrets under the path prefix.
|
|
38
|
+
|
|
39
|
+
## Vault policy
|
|
40
|
+
|
|
41
|
+
```hcl
|
|
42
|
+
path "secret/data/agent-identity/*" {
|
|
43
|
+
capabilities = ["read", "list"]
|
|
44
|
+
}
|
|
45
|
+
path "secret/data/agent-identity/locks/*" {
|
|
46
|
+
capabilities = ["create", "read", "update", "delete"]
|
|
47
|
+
}
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## Rotation integration
|
|
51
|
+
|
|
52
|
+
`VaultCredentialStore` implements `RotationProvisioner` from `packages/core`, so you can pair it with `CredentialRotationScheduler` to automatically rotate secrets in Vault and hot-swap the active credential ref with zero downtime.
|
|
53
|
+
|
|
54
|
+
```typescript
|
|
55
|
+
import { CredentialRotationScheduler } from '@datacules/agent-identity';
|
|
56
|
+
import { VaultRotationProvider } from '@datacules/agent-identity-store-vault';
|
|
57
|
+
|
|
58
|
+
const scheduler = new CredentialRotationScheduler({
|
|
59
|
+
store,
|
|
60
|
+
provisioner: new VaultRotationProvider(store),
|
|
61
|
+
policies: [{ credentialId: 'cred-db-prod', rotateAfterDays: 30 }],
|
|
62
|
+
});
|
|
63
|
+
await scheduler.runOnce();
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
---
|
|
67
|
+
|
|
68
|
+
Part of the [agent-identity monorepo](https://github.com/hvrcharon1/agent-identity) by [Datacules LLC](https://datacules.com).
|
package/package.json
CHANGED