Forge Home

vault

Retrieve secrets from Hashicorp Vault

8,203 downloads

8,203 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.0 (latest)
released Apr 29th 2021
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0
  • , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'czembower-vault', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add czembower-vault
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install czembower-vault --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

czembower/vault — version 0.1.0 Apr 29th 2021

puppet-vault

Table of Contents

  1. Description
  2. Usage
  3. Limitations

Description

Puppet module that provides a function to access Hashicorp Vault secrets within Puppet manifests. Utilizes the Deferred Function capabilities of Puppet 6.22+ to enable client-side lookups at agent run time. Appropriate use cases include delivering the secret to an input parameter of another module, or rendering a template file that contains the secret value.

Usage

Simply declare the function with appropriate parameters to store your secret in a variable. Input parameters to the function are ordered (not named).

$my_secret_value = Deferred(
    'vault::get_secret', [
      'http://127.0.0.1:8100',         # address of Vault service
      'path/to/my/secret',             # path to secret in Vault 
      'field',                         # field of secret
      false                            # boolean to set whether secret is kv_v2 type
    ]
  )

To render a template that contains the secret value, use inline_epp:

$variables = {
  'password' => Deferred(
                    'vault::get_secret', [
                    'http://127.0.0.1:8100',
                    'path/to/my/secret',
                    'field',
                    false
                    ]
                )
}

file { '/etc/secrets.conf':
  ensure  => file,
  content => Deferred('inline_epp',
               ['PASSWORD=<%= $password.unwrap %>', $variables]),
}

Ordered Parameters

  • vault_uri: [string] Address of Vault service including protocol and port (required)
  • secret: [string] Path to secret (required)
  • field: [string] Field of secret (required)
  • kv_v2: [bool] Whether the secret is within a kv_v2 mount, which affects how we handle the data payload (required)
  • token_path: [string] If supplied, uses the token value found in a local file - otherwise, the function assumes that Vault authentication is handled via other means, such as AppRole, IAM, etc. (optional)
  • token_wrapped: [bool] Whether the token provided is wrapped (optional - default: false)

Limitations

This module relies on Puppet Deferred Functions, which are only available in Puppet 6.22+