Puppet Plugin


The vault and debouncer gems must be installed and loadable from Puppet.

gem install vault
gem install debouncer

The data provider is available by installing the petems/hiera_vault module into your environment:

puppet module install petems/hiera_vault

Hiera Configuration

Create hiera.yaml at the following path /etc/puppet/

version: 5
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
      ssl_verify: false
      address: https://hvp.akeyless.io
      token: "<access-id>..<access-key>"
          - data

Create a sample module

Create init.pp with the following:

class akeyless_vault_demo {
  $secret_name = "MySecret"
  $vault_lookup = lookup({"name" => $secret_name, "default_value" => "No Vault Secret Found"})
  $secret_value = $vault_lookup["data"][$secret_name]
  file { '/tmp/hello_from_akeyless':
      content => "Secret is: [${secret_value}]\n"

Secret fetch

Retrieve the secret at the Puppet agent using the following command:

[email protected]:~# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for ub-vm.localdomain
Info: Applying configuration version '1589275681'
Notice: /Stage[main]/Akeyless_vault_demo/File[/tmp/hello_from_akeyless]/ensure: defined content as '{md5}b1520033f813b64694200ca5264e3f79'
Notice: Applied catalog in 0.01 seconds

Present the secret value:

[email protected]:~# cat /tmp/hello_from_akeyless
Secret is: [my secret password]


Plugin repo for Puppet

A hiera backend for access to secrets being stored in Vault -

Did this page help you?