Puppet Plugin
Prerequisites
The vault and debouncer gems must be installed and loadable from Puppet.
gem install vault
gem install debouncer
The data provider is available by installing the petems/hiera_vault module into your environment:
puppet module install petems/hiera_vault
Hiera Configuration
Create hiera.yaml at the following path /etc/puppet/
---
version: 5
:hierarchy:
- name: "Hiera-vault lookup"
lookup_key: hiera_vault
options:
ssl_verify: false
address: https://hvp.akeyless.io
token: "<access-id>..<access-key>"
mounts:
secret:
- data
Create a sample module
modules/akeyless_vault_demo
Create init.pp with the following:
class akeyless_vault_demo {
$secret_name = "MySecret"
$vault_lookup = lookup({"name" => $secret_name, "default_value" => "No Vault Secret Found"})
$secret_value = $vault_lookup["data"][$secret_name]
file { '/tmp/hello_from_akeyless':
content => "Secret is: [${secret_value}]\n"
}
}
Secret fetch
Retrieve the secret at the Puppet agent using the following command:
[email protected]:~# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for ub-vm.localdomain
Info: Applying configuration version '1589275681'
Notice: /Stage[main]/Akeyless_vault_demo/File[/tmp/hello_from_akeyless]/ensure: defined content as '{md5}b1520033f813b64694200ca5264e3f79'
Notice: Applied catalog in 0.01 seconds
Present the secret value:
[email protected]:~# cat /tmp/hello_from_akeyless
Secret is: [my secret password]
Plugin repo for Puppet
A hiera backend for access to secrets being stored in Vault -
https://forge.puppet.com/modules/petems/hiera_vault
Updated 11 months ago