Forge Home


A task to access Bolt configuration from secrets stored in a Hashicorp Vault server


20,259 latest version

5.0 quality score

Version information

  • 0.4.0 (latest)
  • 0.3.0
  • 0.2.2
  • 0.2.1
  • 0.2.0
  • 0.1.0 (deleted)
released Jan 22nd 2021
This version is compatible with:
  • Puppet Enterprise 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 8.0.0
  • , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-vault', '0.4.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-vault
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-vault --version 0.4.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



puppetlabs/vault — version 0.4.0 Jan 22nd 2021

Bolt Vault plugin

This module provides a plugin which allows config values to be set by accessing secrets from a Key/Value engine on a Vault server.

Table of Contents

  1. Requirements
  2. Usage
  3. Examples


You will need to have a Vault server running, and a way to authenticate with the server


The Vault plugin supports several options:

  • server_url: The URL of the Vault server (optional, defaults to ENV['VAULT_ADDR'])
  • auth: The method for authorizing with the Vault server and any necessary parameters (optional, defaults to ENV['VAULT_TOKEN'])
  • path: The path to the secrets engine (required)
  • field: The specific secret being used (optional, defaults to a Ruby hash of all secrets at the path)
  • version: The version of the K/V engine (optional, defaults to 1)
  • cacert: Path to the CA certificate (optional, required if using TLS)

Authentication Methods

Vault requires a token to assign an identity and set of policies to a user before accessing secrets. The Vault plugin offers 2 authentication methods:


Authenticate using a token. This method requires the following fields:

  • method: The value of method must be token
  • token: The token to authenticate with


Request a token by logging into the Vault server with a username and password. This method requires the following fields:

  • method: The value of method must be userpass
  • user: The username
  • pass: The password


You can add any Vault plugin field to the inventory configuration. The following example shows how you would access the private-key secret on a KVv2 engine mounted at secrets/bolt:

version: 2
  - ...
    user: root
        _plugin: vault
          method: userpass
          user: bolt
          pass: bolt
        path: secrets/bolt
        field: private-key
        version: 2

You can also set configuration in your Bolt config file under the plugins field. If a field is set in both the inventory file and the config file, Bolt will use the value set in the inventory file. The available fields for the config file are:

  • server_url
  • cacert
  • auth
    cacert: /path/to/ca
      method: token
      token: xxxxx-xxxxx