using vault

[sli...@verizon.net]

Hello,

I have vault set up using role and secret id

I downloaded puppetlabs-vault module and saw the code snippet with that module https://www.puppet.com/integrations/vault-by-hashicorp

With vault_lookup::lookup deferred method, i don't want to pass my role and secret, so other option is set as environment variables. Question is do i need to set that up on puppet server or puppet agent? Where may be the best place to set that up? if it is on puppet server, can i set that up in say puppet.service file? if on agent, where may be the right place to set that up?

Thanks

S

[Ben Ford]

Deferred functions run on the agent. The Vault connection will be made from the agent. Therefor, if you configure Vault using environment variables, you'll want to do so from the agent. If you're using systemd, you should be able to configure those in the .service file as you suggest.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4792f478-c0a9-4b3c-b51e-eef9bc107f0dn%40googlegroups.com.

CAUTION: This email originated from outside of the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.

[sli...@verizon.net]

Thanks I added to /etc/sysconfig/puppet and looks like agent service is up.

However, i ran into other issue.

I need to pass vault_token to my epp, where i am going to use it.

So i have

# vault_path is and vault_my_key should look like auth/puppet/MY_KEY

  $variables = {
      'my_key' => Deferred('vault_lookup::lookup', ['$vault_path$vault_my_key']),
  }

and then how should i add this value to epp?

content  => epp('cmd/some.epp', { 'param1' => $param1, 'my_key' => Deferred('inline_epp', ['<%= $my_key.unwrap %>', $variables])}),

However that gives me error when i run puppet agent -t

my_key, expects a string value.

What should be the corect way to pass this key to my epp?

[Aaron Russo]

Have you looked at / considered using Puppet’s client cert to authenticate to Vault to authenticate and generate a token?

With recent releases of Vault the issue with getting cert metadata exposed have been fixed so you can write policies based on trusted facts/cert extensions.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8fb404c5-8223-4d08-ad57-32f675ab288dn%40googlegroups.com.

--

Aaron Russo (He/Him/His)
PIXAR | Network & Server Admins (NSA) | Senior Systems Engineer
aru...@pixar.com
nsa-team.pixar.com (internal-only)

[sli...@verizon.net]

Thanks

Do you have documentation for that? i am using enterprise vault and my agents are behind firewall so agent certs will not be trusted by vault.. not sure if this will work but can see if this is feasible.

-S