A hiera backend for access to secrets being stored in HashiCorp Vault
Switch branches/tags
Clone or download
Latest commit 343d3e8 Dec 16, 2018


hiera_vault : a vault data provider function (backend) for Hiera 5


This is a back end function for Hiera 5 that allows lookup to be sourced from Hashicorp's Vault.

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.


  • This moduel is only compatible with Hiera 5 (ships with Puppet 4.9+) and Vault KV engine version 1


The vault gem must be installed and loadable from Puppet

# /opt/puppetlabs/puppet/bin/gem install vault
# puppetserver gem install vault


The data provider is available by installing the petems/hiera_vault module into your environment.

Currently you will have to clone the module to your code enviornment:

git clone https://github.com/petems/hiera-vault /etc/puppetlabs/code/environments/production/modules/hiera_vault

Or add it to your Puppetfile

mod 'hiera_vault',
  :git => 'https://github.com/petems/hiera-vault'

This will eventually be on the forge, and installable with the module command:

# puppet module install petems/hiera_vault


See The official Puppet documentation for more details on configuring Hiera 5.

The following is an example Hiera 5 hiera.yaml configuration for use with hiera-vault


version: 5

  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
        - '^vault_.*'
        - '^.*_password$'
        - '^password.*'
      ssl_verify: false
      address: https://vault.foobar.com:8200
      token: <insert-your-vault-token-here>
      default_field: value
          - secret/puppet/%{::trusted.certname}/
          - secret/puppet/common/

The following mandatory Hiera 5 options must be set for each level of the hierarchy.

name: A human readable name for the lookup

lookup_key: This option must be set to hiera_vault

The following are optional configuration parameters supported in the options hash of the Hiera 5 config

address: The address of the Vault server, also read as ENV["VAULT_ADDR"]

token: The token to authenticate with Vault, also read as ENV["VAULT_TOKEN"] or a full path to the file with the token

:confine_to_keys: : Only use this backend if the key matches one of the regexes in the array

    - "application.*"
    - "apache::.*"

:ssl_verify: Specify whether to verify SSL certificates (default: true)


  • Original - David Alden dave@alden.name
  • Transfered and maintained by Peter Souter