How can I set a pillar to the value returned from module.run

39 views
Skip to first unread message

Dennis Muller

unread,
Feb 5, 2025, 4:17:43 PMFeb 5
to Salt-users
I am trying to use the azurerm_keyvault_secret.get_secret module to pull a secret and use the value within my state.
I have the get_secret working, but I am not seeing how to assign the value from the return so that I can use it later in my states.

Dennis Muller

unread,
Feb 5, 2025, 4:48:34 PMFeb 5
to Salt-users
So for example, I have this


{% set authprofile = {"subscription_id" : "xxx", "tenant": "x", "secret": "xxx", "client_id": "xxxx"   } %}

get_secret:
  module.run:
    - name: azurerm_keyvault_secret.get_secret
    - vault_url: xxx
    - m_name: xxx
    - resource_group: xxx
    - location: xxx
    - tenant_id: xxxx
    - sku:  Standard
    - connection_auth:  {{ authprofile }}




When I run the state I get this output, and in the get_secret I see the value for the secret.
I just cant figure out how to capture the value and assign it for later use.

sudo salt-call state.apply states.azkv
local:
----------
          ID: Ensure key vault exists
    Function: azurerm_keyvault_vault.present
        Name: xxx
      Result: True
     Comment: xxx
     Started: 14:14:10.838650
    Duration: 10881.969 ms
     Changes:  
              ----------
              tags:
                  ----------
                  old:
                      ----------
                      app:
                          xxx
                      env:
                          xxx
                      owneremail:
                          xxx
                      servicetier:
                          zxxxx
----------
          ID: get_secret
    Function: module.run
        Name: azurerm_keyvault_secret.get_secret
      Result: True
     Comment: Module function azurerm_keyvault_secret.get_secret executed
     Started: 14:14:21.722054
    Duration: 506.676 ms
     Changes:  
              ----------
              ret:
                  ----------
                  id:
                      xxx
                  name:
                      xxx
                  properties:
                      ----------
                      content_type:
                          None
                      created_on:
                           xxx
                      enabled:
                          True
                      expires_on:
                          None
                      id:
                           xxx
                      key_id:
                          None
                      name:
                           xxx
                      not_before:
                          None
                      recovery_level:
                           xxx
                      tags:
                          None
                      updated_on:
                           xxx
                      vault_url:
                           xxx
                      version:
                           xxx
                  value:
                       xxx

Summary for local
------------
Succeeded: 2 (changed=2)
Failed:    0
------------
Total states run:     2
Total run time:  11.389 s

Phipps, Thomas

unread,
Feb 5, 2025, 6:19:01 PMFeb 5
to salt-...@googlegroups.com

the short answer is. you don’t

if it happens in the states the information isn’t available in jinja or in pillar.

if you want to use it in jinja it needs to happen in jinja. in your example
now this can happen on the minion in a state. or it can happen on the master as pillar.
{% set aws_secret_sauce = salt["azurem_keyvault_secret.get_secret"](valut_url=xxx, name=xxx, resource_group=xxx, location=xxx, tenant_id=xxx, sku="Standard", connection_auth=authprofile)%}

if you need to happen after the jinja is rendered during the state run for some reason. you can call it with slots. https://docs.saltproject.io/en/3006/topics/slots/index.html but slots are really limited in what they can do or go.


On Wed, Feb 5, 2025 at 1:17 PM Dennis Muller <redran...@gmail.com> wrote:
I am trying to use the azurerm_keyvault_secret.get_secret module to pull a secret and use the value within my state.
I have the get_secret working, but I am not seeing how to assign the value from the return so that I can use it later in my states.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/salt-users/87f42884-daa0-40d2-a48c-ba2e1fe731c0n%40googlegroups.com.

Dennis Muller

unread,
Feb 6, 2025, 6:28:18 AMFeb 6
to Salt-users
Thank you for your response. After posting this initially I thought to try with jinja but got stuck on the syntax. I have tried it both with and without the ['value'] but the error is the same.
I would actually prefer to use the jinja. 


{% set authprofile = {"subscription_id" : "xxx", "tenant": "xxx", "secret": "xxx", "client_id": "xxx"   } %}

{% set return = salt['azurerm_keyvault_secret.get_secret'](vault_url="xxxx",name="xxxt",resource_group="xxxxx",location="xxxxx",tenant_id="xxxx",connection_auth={{ authprofile }} )[value'] %}

sudo salt-call state.apply states.azkv4
[ERROR   ] Rendering exception occurred
Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/templates.py", line 467, in render_jinja_tmpl
    template = jinja_env.from_string(tmplstr)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/jinja2/environment.py", line 1108, in from_string
    return cls.from_code(self, self.compile(source), gs, None)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/jinja2/environment.py", line 768, in compile
    self.handle_exception(source=source_hint)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/jinja2/environment.py", line 939, in handle_exception
    raise rewrite_traceback_stack(source=source)
  File "<unknown>", line 38, in template
jinja2.exceptions.TemplateSyntaxError: expected token ':', got '}'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/templates.py", line 211, in render_tmpl
    output = render_str(tmplstr, context, tmplpath)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/templates.py", line 484, in render_jinja_tmpl
    raise SaltRenderError(f"Jinja syntax error: {exc}{out}", line, tmplstr)
salt.exceptions.SaltRenderError: Jinja syntax error: expected token ':', got '}'; line 38

---
[...]

    - location: xxx
    - tenant_id: xxx
    - sku:  xxx
    - connection_auth:  {{ authprofile }}

{% set return = salt['azurerm_keyvault_secret.get_secret'](vault_url="xxx",name="xxxx",resource_group="xxxxx",location="xxx",tenant_id="x",connection_auth={{ authprofile }} )[value'] %}    <======================
---
[CRITICAL] Rendering SLS 'sbxpoc:states.azkv4' failed: Jinja syntax error: expected token ':', got '}'; line 38

---
[...]

    - location: xxx
    - tenant_id: xxx
    - sku:  xxx
    - connection_auth:  {{ authprofile }}

{% set return = salt['azurerm_keyvault_secret.get_secret'](vault_url="xxx",name="xxxx",resource_group="xxxxx",location="xxx",tenant_id="x",connection_auth={{ authprofile }} )[value'] %}      <======================
---
local:
    Data failed to compile:
----------
    Rendering SLS 'sbxpoc:states.azkv4' failed: Jinja syntax error: expected token ':', got '}'; line 38

---
[...]

    - location: xxx
    - tenant_id: xxx
    - sku:  xxx
    - connection_auth:  {{ authprofile }}

{% set return = salt['azurerm_keyvault_secret.get_secret'](vault_url="xxx",name="xxxx",resource_group="xxxxx",location="xxx",tenant_id="x",connection_auth={{ authprofile }} )[value'] %}      <======================




Phipps, Thomas

unread,
Feb 6, 2025, 7:08:35 AMFeb 6
to salt-...@googlegroups.com

the problem is not the use or not use of value. it is your use of {{}} {{}} is shorthand for enter jinja and output result. you don’t need that from within a jinja block.
this is why in my example i did not put the {{}} you just pass the variable as is.

{% set return = salt['azurerm_keyvault_secret.get_secret'](vault_url="xxxx",name="xxxt",resource_group="xxxxx",location="xxxxx",tenant_id="xxxx",connection_auth=authprofile )[value'] %}


Dennis Muller

unread,
Feb 6, 2025, 7:26:47 AMFeb 6
to Salt-users
Thank you for your prompt response. I had run across a post about using pillar values in this manner, and had tried it the way you suggested but that syntax did not work either.

I looked at it closer and found I had a syntax error. 
Thank you for your assistance, I was able to get it working as I needed.

I really appreciate your assistance and patience.
Reply all
Reply to author
Forward
0 new messages