Puppet Plugin

Puppet is one of the most mature configuration management tools.


The vault and debouncer gems must be installed and loadable from Puppet.

gem install vault
gem install debouncer

The data provider is available by installing the petems/hiera_vault module into your environment:

# puppet module install petems/hiera_vault

Hiera Configuration

Create hiera.yaml at the following path /etc/puppet/

version: 5
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
      ssl_verify: false
      address: https://hvp.akeyless.io
      token: "<access-id>..<access-key>"
          - data

Create a sample module

Create init.pp with the following:

class akeyless_vault_demo {
  $secret_name = "MySecret"
  $vault_lookup = lookup({"name" => $secret_name, "default_value" => "No Vault Secret Found"})
  $secret_value = $vault_lookup["data"][$secret_name]
  file { '/tmp/hello_from_akeyless':
      content => "Secret is: [${secret_value}]\n"

Secret fetch

Retrieve the secret at the Puppet agent using the following command:

[email protected]:~# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for ub-vm.localdomain
Info: Applying configuration version '1589275681'
Notice: /Stage[main]/Akeyless_vault_demo/File[/tmp/hello_from_akeyless]/ensure: defined content as '{md5}b1520033f813b64694200ca5264e3f79'
Notice: Applied catalog in 0.01 seconds

Present the secret value:

[email protected]:~# cat /tmp/hello_from_akeyless
Secret is: [my secret password]


Plugin repo for Puppet

A hiera backend for access to secrets being stored in Vault -