Puppet Plugin


  • Puppet version 6 or later.
  • Puppet/vault_lookup module installed

The puppet/vault_lookup module can be installed by running the following command on your server:

puppet module install puppet/vault_lookup



Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here

Create a sample module

Create init.pp on your Puppet server as follows:

$variables = {
 'token' => Deferred('vault_lookup::lookup', 
  		'vault_addr'  => 'https://hvp.akeyless.io',
  		'auth_method' => 'approle',
  		'role_id'     => 'Access ID',
  		'secret_id'   => 'Access Key',
		'approle_path_segment' => 'v1/auth/approle/login',

file { '/tmp/secret.txt':
  ensure  => file,
  content => Deferred('inline_epp',
               ['<%= $token.unwrap %>', $variables]),


  • secret/<path/to/secret_name>: A full secret name, with secret prefix.
  • vault-addr: either the public hvp endpoint, or your Gateway URL on port 8200.
  • role_id: Set with your API Key auth method AccessID.
  • secret_id: Set with the matching API Key value.

The following logic will create a txt file with the secret value, where for the sake of simplicity we are running cat command to print the value, this should not be used as is in a production environment.

Secret fetch

Retrieve the secret at the Puppet agent using the following command:

puppet agent -t