Secretary - NodeJS Secrets Management

---

Secretary (etymology: Keeper of secrets) provides an abstract way to manage secrets.

Currently supports the following adapters:

• AWS Secrets Manager
• Azure Key Vault
• Hashicorp Vault
• JSON File

Cli Tool

There is also a CLI package that can be used to inject secrets as environment variables into a script

All it takes is install the package with:

yarn global add @secretary/cli

or

npm i -g @secretary/cli

and then place a config file (.secretaryrc.js) in your root directory:

const {Adapter} = require("@secretary/aws-secrets-manager-adapter");
const {SecretsManager} = require('@aws-sdk/client-secrets-manager');

// You can specify an object here as the export, or a function
// if you need to do some async calls in here
module.exports = async (manager) => ({
    sources: {
        aws: new Adapter(new SecretsManager({
            region: 'us-east-1',
        })),
    },
    secrets: [
        {
            name: 'BOT_TOKEN',
            secret: 'bot/development',
            property: 'token',
            source: 'aws',
            callback(value) {
                return value.replace(/^Bot /, '');
            }
        }
    ]
})

Then run the following:

$ secretary inject yarn build

Your build script will then have a BOT_TOKEN environment variable set with the secret value's.

Installation

// If you want to use AWS Secrets Manager
$ npm install @secretary/core @secretary/aws-secrets-manager-adapter

// If you want to use Hashicorp Vault
$ npm install @secretary/core @secretary/hashicorp-vault-adapter

Check the install docs of the adapter you want to use for specific instructions.

Usage

import {Manager} from '@secretary/core';
import {Adapter} from '@secretary/aws-secrets-manager';
// Or: import {Adapter} from '@secretary/hashicorp-vault-adapter';
// Or: import {Adapter} from '@secretary/json-file-adapter'; // Note: this is not for production
import {SecretsManager} from '@aws-sdk/client-secrets-manager';

const manager = new Manager({aws: new Adapter(new SecretsManager())});

Fetch Secrets

const someSecret = await manager.getSecret('some/database/secret', 'aws');
// or, aws as the first (and only) adapter in the manager, `default` is another key that works,
// which is what source getSecret defaults to
const someSecret = await manager.getSecret('some/database/secret');

console.log(someSecret.value.dsn); // redis://localhost:6379

Create Secrets

const secret = new Secret('some/database/secret', {dsn: 'redis://localhost:6379'});
await manager.putSecret(secret, 'aws');

console.log(someSecret.value.dsn); // redis://localhost:6379

Delete Secrets

const secret = await manager.getSecret('some/database/secret');

await manager.deleteSecret(secret, 'aws');

Check the usage docs of the adapter you want to use for specific instructions.