A hiera backend for access to secrets being stored in HashiCorp Vault
Switch branches/tags
Clone or download
Latest commit 343d3e8 Dec 16, 2018

README.md

hiera_vault : a vault data provider function (backend) for Hiera 5

Description

This is a back end function for Hiera 5 that allows lookup to be sourced from Hashicorp's Vault.

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

Compatibility

  • This moduel is only compatible with Hiera 5 (ships with Puppet 4.9+) and Vault KV engine version 1

Requirements

The vault gem must be installed and loadable from Puppet

# /opt/puppetlabs/puppet/bin/gem install vault
# puppetserver gem install vault

Installation

The data provider is available by installing the petems/hiera_vault module into your environment.

Currently you will have to clone the module to your code enviornment:

git clone https://github.com/petems/hiera-vault /etc/puppetlabs/code/environments/production/modules/hiera_vault

Or add it to your Puppetfile

mod 'hiera_vault',
  :git => 'https://github.com/petems/hiera-vault'

This will eventually be on the forge, and installable with the module command:

# puppet module install petems/hiera_vault

Configuration

See The official Puppet documentation for more details on configuring Hiera 5.

The following is an example Hiera 5 hiera.yaml configuration for use with hiera-vault

---

version: 5

hierarchy:
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_.*'
        - '^.*_password$'
        - '^password.*'
      ssl_verify: false
      address: https://vault.foobar.com:8200
      token: <insert-your-vault-token-here>
      default_field: value
      mounts:
        generic:
          - secret/puppet/%{::trusted.certname}/
          - secret/puppet/common/

The following mandatory Hiera 5 options must be set for each level of the hierarchy.

name: A human readable name for the lookup

lookup_key: This option must be set to hiera_vault

The following are optional configuration parameters supported in the options hash of the Hiera 5 config

address: The address of the Vault server, also read as ENV["VAULT_ADDR"]

token: The token to authenticate with Vault, also read as ENV["VAULT_TOKEN"] or a full path to the file with the token

:confine_to_keys: : Only use this backend if the key matches one of the regexes in the array

  confine_to_keys:
    - "application.*"
    - "apache::.*"

:ssl_verify: Specify whether to verify SSL certificates (default: true)

Author

  • Original - David Alden dave@alden.name
  • Transfered and maintained by Peter Souter