Puppet Plugin

Prerequisites

• Puppet version 6 or later.
• Puppet/vault_lookup module installed

The puppet/vault_lookup module can be installed by running the following command on your server:

puppet module install puppet/vault_lookup

👍

Note

Akeyless developed API compatibility with HashiCorp Vault OSS, enabling the use of Vault OSS community plugins for both Static and Dynamic Secrets, you can find more information here

Create a Sample Module

Create init.pp on your Puppet server as follows:

$variables = {
    'token' => Deferred('vault_lookup::lookup', 
    ['secret/<path/to/secret_name>', 
    {
        'vault_addr'  => 'https://hvp.akeyless.io',
        'auth_method' => 'approle',
        'role_id'     => 'Access ID',
        'secret_id'   => 'Access Key',
        'approle_path_segment' => 'v1/auth/approle/login',
    }
    ])
}

file { '/tmp/secret.txt':
  ensure  => file,
  content => Deferred('inline_epp',
               ['<%= $token.unwrap %>', $variables]),
} 

Where:

• secret/<path/to/secret_name>: A full secret name, with secret prefix.
• vault-addr: either the public /8000/hvp endpoint, or your Gateway URL on port 8200.
• role_id: Set with your API Key Auth Method AccessID.
• secret_id: Set with the matching API Key value.

The following logic will create a txt file with the secret value, where for the sake of simplicity we are running cat command to print the value, this should not be used as is in a production environment.

Secret Fetch

Retrieve the secret at the Puppet agent using the following command:

puppet agent -t