Puppet Plugin


The following Ruby gems must be installed and loadable from Puppet:

  • Vault (Ruby API client for interacting with a Vault server).
  • Debouncer (Background thread debouncing for Ruby).
gem install vault
gem install debouncer

Hiera_vault module (Hiera 5 backend to query data lookups from vault) is available by installing the petems/hiera_vault module into your environment:

puppet module install petems/hiera_vault

Hiera Configuration

Create hiera.yaml at the following path /etc/puppet/

version: 5
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
      ssl_verify: false
      address: https://hvp.akeyless.io
      token: "<access-id>..<access-key>"
          - data



Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here

Create a sample module

Create init.pp with the following:

class akeyless_vault_demo {
  $secret_name = "MySecret"
  $vault_lookup = lookup({"name" => $secret_name, "default_value" => "No Vault Secret Found"})
  $secret_value = $vault_lookup["data"][$secret_name]
  file { '/tmp/hello_from_akeyless':
      content => "Secret is: [${secret_value}]\n"

Secret fetch

Retrieve the secret at the Puppet agent using the following command:

root@ub-vm:~# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for ub-vm.localdomain
Info: Applying configuration version '1589275681'
Notice: /Stage[main]/Akeyless_vault_demo/File[/tmp/hello_from_akeyless]/ensure: defined content as '{md5}b1520033f813b64694200ca5264e3f79'
Notice: Applied catalog in 0.01 seconds

Present the secret value:

root@ub-vm:~# cat /tmp/hello_from_akeyless
Secret is: [my secret password]



Puppet Plugin repo - A hiera backend for access to secrets being stored in Vault -