Sensitive type?

[Jason McMahan]

Good day,

We were attempting to secure passwords appearing in files.

In the node manifest we changed

$password = lookup("user_cred.${username}.${domain_lookup}.password"))

to

$password = Sensitive(lookup("user_cred.${username}.${domain_lookup}.password"))

In the resources file it correctly redacted the password, but when i open

C:\ProgramData\PuppetLabs\puppet\var\client_data\catalog\<node>.json

It shows the password in plain text under the section

/etc/puppetlabs/code/environments/sensitive/site/profile/manifests/windows/domain/join.pp

but still redacted under the section

/etc/puppetlabs/code/environments/sensitive/modules/domain_membership/manifests/init.pp

How can redact the password in all locations?

Any help is greatly appreciated, thank you very much.

Jason

[Henrik Lindberg]

The catalog contains sensitive information in clear text and sets a flag
that the resource parameter is sensitive. You must treat a catalog as
sensitive information.

If you are seeing "redacted" in your catalog that means that compilation
transformed a Senstivie value into a String and used the string value in
the catalog. That must be a problem in your manifests (or a module).

The recommended secure way to handle secrets is to use the `Deferred`
feature in Puppet 6 and to use an external secrets server - for example
Vault. The Deferred feature make it possible to call functions on the
agent and this is used to lookup secrets with the agent's credentials.
Thus, there is never a secret in clear text during compilation, and thus
also not in the catalog. When the looked up value is produced on the
agent, it sets the clear text value in the resource and sets the flag
that indicates that it is sensitive. This is a signal to the puppet
resource harness to redact the information in reports and logs. A custom
provider may need to be reviewed and modified to ensure that it does not
spill a secret (for example, it may need to be changed to check if a
resource attribute is flagged as sensitive before logging it).

Hope that helps.
Best,
- henrik

> Jason
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/ed5873cf-a60b-4b66-b3f2-ad7f7714f9c3%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/ed5873cf-a60b-4b66-b3f2-ad7f7714f9c3%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/