Forge Home


Retrieve secrets from Hashicorp Vault


6,741 latest version

3.1 quality score

Version information

  • 0.1.0 (latest)
released Apr 29th 2021
This version is compatible with:
  • Puppet Enterprise 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0
  • , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'czembower-vault', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add czembower-vault
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install czembower-vault --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



czembower/vault — version 0.1.0 Apr 29th 2021


Table of Contents

  1. Description
  2. Usage
  3. Limitations


Puppet module that provides a function to access Hashicorp Vault secrets within Puppet manifests. Utilizes the Deferred Function capabilities of Puppet 6.22+ to enable client-side lookups at agent run time. Appropriate use cases include delivering the secret to an input parameter of another module, or rendering a template file that contains the secret value.


Simply declare the function with appropriate parameters to store your secret in a variable. Input parameters to the function are ordered (not named).

$my_secret_value = Deferred(
    'vault::get_secret', [
      '',         # address of Vault service
      'path/to/my/secret',             # path to secret in Vault 
      'field',                         # field of secret
      false                            # boolean to set whether secret is kv_v2 type

To render a template that contains the secret value, use inline_epp:

$variables = {
  'password' => Deferred(
                    'vault::get_secret', [

file { '/etc/secrets.conf':
  ensure  => file,
  content => Deferred('inline_epp',
               ['PASSWORD=<%= $password.unwrap %>', $variables]),

Ordered Parameters

  • vault_uri: [string] Address of Vault service including protocol and port (required)
  • secret: [string] Path to secret (required)
  • field: [string] Field of secret (required)
  • kv_v2: [bool] Whether the secret is within a kv_v2 mount, which affects how we handle the data payload (required)
  • token_path: [string] If supplied, uses the token value found in a local file - otherwise, the function assumes that Vault authentication is handled via other means, such as AppRole, IAM, etc. (optional)
  • token_wrapped: [bool] Whether the token provided is wrapped (optional - default: false)


This module relies on Puppet Deferred Functions, which are only available in Puppet 6.22+