A Puppet master password implementation that uses Puppet server's CA key to automate password creation.
Krzysztof Suszyński

Krzysztof Suszyński



1,432 latest version

5.0 quality score

Version information

  • 0.1.0 (latest)
released Oct 24th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • CentOS

Start using this module


wavesoftware/passless — version 0.1.0 Oct 24th 2019

Passless for Puppet

Travis Build Status AppVeyor Build Status

It's a Puppet master password implementation that uses PuppetServer's CA to automate password creation.

Table of Contents

  1. Description
  2. Usage - Configuration options and additional functionality
  3. Development - Guide for contributing to the module


This module contains a a function passless::secret (and an alias passless) that will generate a password based on a name given. Each password will be generated using a master password algorithm. This algorithm will take a Puppet CA as a master password. Password generated will be unique to Puppet environment.

class { 'postgresql::server':
  postgres_password => passless::secret('postgresql::server'),


A passless::secret function takes a minimum of one argument. That argument is name of password to be generated.

Each password generation can be influenced by providing a options. Options are given on hashmap. Those options are:

  • counter - A sequential password number. Changing the password should be done by advancing this number. Default value is 1.
  • scope - A definition of scope that the password will be generated from. It may be one of (defaults to alnum):
    • num for numeric passwords,
    • alpha for alphabet based passwords, both big and small caps,
    • alnum for alphanumeric passwords, both big and small caps,
    • human for letters and numbers that are easy to distinguish by human,
    • keys for passwords that can be typed by keyboard, so letters, and numbers, and special characters,
    • utf8 these passwords contain utf-8 characters, so also a characters that aren't easy to type by keyboard,
    • list: followed by list of chars that might be used. Ex.: list:abcdef1234567890!$,
  • length - A length of password to be generated in number of signs. Default value is 16.
$options = {
  'counter' => 5,
  'scope'   => 'human',
  'length'  => 24,
user { 'root':
  password => passless::secret("root@${::fqdn}", $options),


Hiera integration isn't done yet (

All options described above can also be set via Hiera. To do this define a key that is created by adding a password name and suffix of ::counter, ::scope, or ::length. Ex.: 13 alnum 32

You can specify a counter both in Puppet code and in Hiera, counters will be summed. Specifying scope or length, in both places isn't supported and will result in compilation error.


Development is described in separate document

Release Notes

See for project release notes.