Using vault with puppet

Andy Lee

unread,

Jul 14, 2015, 12:30:39 PM7/14/15

to vault...@googlegroups.com

Hi all,

I'm using vault for a project I'm working on and am having some trouble finding documentation on how vault is usually implemented with puppet. Basically, I'm setting up a simple proof of concept where puppet can unseal, read, and apply the secrets to a template. What should the auth backend be in this scenario? I was thinking auth by app-id/user-id could work.

I also found https://github.com/EvanKrall/puppet-vault, but it seems like it doesn't have all the puppet logic to do the above.

I'm just looking for a bit of guidance on how the workflow should look like. So far, I've setup vault in non-dev mode using the basic file backend.

Thanks in advance!

Armon Dadgar

unread,

Jul 14, 2015, 11:32:53 PM7/14/15

to vault...@googlegroups.com, Andy Lee

Hey Andy,

It is best to think about Vault as a database within the context of puppet or any configuration management tool.

Secrets should be access online, so that you can handle leasing and renewal, instead of offline in a config management tool.

The way we recommend doing this is with consul-template. We also use puppet at HashiCorp, but instead of having

puppet read the secrets into the templates, we have puppet setup and deploy consul-template, which reads from

Vault and updates the templates at runtime instead when the CM tool runs.

Hope that helps!

Best Regards,

Armon Dadgar

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/1126da76-cdb5-422a-a2c3-ce084c2c7602%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jonathan Sokolowski

unread,

Jul 14, 2015, 11:42:12 PM7/14/15

to vault...@googlegroups.com

Hi Andy,

I've been working on a hiera backend which talks to vault. It may work for your needs.

https://github.com/jsok/hiera-vault

I'd recommend the consul-template approach where possible, however there are some scenarios where having read access to secrets is useful (e.g. getting a credentials for a package management system so Puppet can install packages).

- Jonathan

Andy Lee

unread,

Jul 15, 2015, 12:29:29 AM7/15/15

to vault...@googlegroups.com, andy....@gmail.com

I was thinking of using consul later down the line but for now I wanted to keep it simple and have as few dependencies as possible. Could you illustrate how I could best implement that? I was thinking of only allowing read access to puppet as a policy and root for read/write.

I assume puppet would need to do the following before reading and applying to the template:

- check if vault is initialized and auth (what would be the best auth method?)

- check if vault is sealed

- unseal if necessary

- read from vault and write value into template at runtime

On Tuesday, July 14, 2015 at 8:32:53 PM UTC-7, Armon Dadgar wrote:

Hey Andy,

It is best to think about Vault as a database within the context of puppet or any configuration management tool.
Secrets should be access online, so that you can handle leasing and renewal, instead of offline in a config management tool.

The way we recommend doing this is with consul-template. We also use puppet at HashiCorp, but instead of having
puppet read the secrets into the templates, we have puppet setup and deploy consul-template, which reads from
Vault and updates the templates at runtime instead when the CM tool runs.

Hope that helps!

Best Regards,
Armon Dadgar

Andy Lee

unread,

Jul 15, 2015, 12:32:02 AM7/15/15

to vault...@googlegroups.com

Hi Jonathan,

The hiera backend looks interesting, but may be too complex for me to grasp right now. Still on the proof of concept level, but I'll definitely look at this later on.

On Tuesday, July 14, 2015 at 8:42:12 PM UTC-7, Jonathan Sokolowski wrote

Armon Dadgar

unread,

Jul 15, 2015, 12:40:05 AM7/15/15

to vault...@googlegroups.com, Andy Lee, andy....@gmail.com

Hey Andy,

Just to clarify, you can actually use consul-template without Consul. It can be used with

Vault alone. It is an annoying legacy of the name, but Consul isn’t actually required for the

templating functionality.

In terms of a deeper puppet integration as you’ve described, maybe somebody else can

shed more light. We don’t use puppet to integrate with Vault like this so I’m not sure. It’s not

really a recommended pattern or something we’ve spent much time on.

Best Regards,

Armon Dadgar

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/68b1d0fe-ad6b-41bd-8f9b-d5766ea496f1%40googlegroups.com.

Reply all

Reply to author

Forward