Setting token: 'ENV["VAULT_TOKEN"]' doesn't work

[tenajsystems]

@petems How is the ENV["VAULT_TOKEN"] supposed to be set? I have exported the token as export VAULT_TOKEN=<token_here> and in my hiera.yaml file, I have token: 'ENV["VAULT_TOKEN"]' but when I run puppet, it fails to lookup the key in vault. Setting the token: '/path/to/token' works however.

Any thoughts on why setting token: 'ENV["VAULT_TOKEN"]' doesn't work? or I'm I doing something wrong?

[petems]

It has to be set within the context of the Puppetserver run as an environment variable, not hiera.

So this could be done as export VAULT_TOKEN=abc in either

• /etc/sysconfig/puppetserver on RHEL and its derivatives
• /etc/default/puppetserver on Debian, Ubuntu, and their derivatives

Or in the Environment/EnvironmentFile setting in the Puppetserver systemd unit file.

[tenajsystems]

Thank you for the quick response.

I am using Ubuntu and on puppet enterprise. I went into /etc/default/pe-puppetserver and added export VAULT_TOKEN=<token here> Do I need to set a value in token field like in the hiera sample below. As in where do I set ENV["VAULT_TOKEN"]. I am sure I am missing something but not sure what I am doing wrong

---

version: 5

hierarchy:
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_.*'
        - '^.*_password$'
        - '^password.*'
      ssl_verify: false
      address: https://vault.foobar.com:8200
      token: 'ENV["VAULT_TOKEN"]'
      default_field: value
      mounts:
        some_secret:
          - %{::trusted.certname}
          - common
        another_secret:
          - %{::trusted.certname}
          - common

[petems]

Remove the token field completely from the config, it will look for the environment value automatically:

---

version: 5

hierarchy:
  - name: "Hiera-vault lookup"
    lookup_key: hiera_vault
    options:
      confine_to_keys:
        - '^vault_.*'
        - '^.*_password$'
        - '^password.*'
      ssl_verify: false
      address: https://vault.foobar.com:8200
      default_field: value
      mounts:
        some_secret:
          - %{::trusted.certname}
          - common
        another_secret:
          - %{::trusted.certname}
          - common

[tenajsystems]

When I remove the token field completely and then run puppet agent -t I get the below error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN

[petems]

Ok, looks like you're right: For Puppetserver the variable has to be set in the /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf file:

I did a quick test now and it worked for me:

https://puppet.com/docs/puppetserver/latest/config_file_puppetserver.html

environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }

This will mean that it will use the value from the exported environmental setting within the JRuby run:

[root@puppet vagrant]# cat /etc/sysconfig/puppetserver | grep TOKEN
VAULT_TOKEN=s.2NwgupDg5BRSBEy4Gya3kkFR
[root@puppet vagrant]# cat /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf | grep TOKEN
    environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }
[root@puppet vagrant]# cat token.rb
puts "Vault token is #{ENV['VAULT_TOKEN']}}"
[root@puppet vagrant]# puppetserver ruby token.rb
Vault token is s.2NwgupDg5BRSBEy4Gya3kkFR}

You'll need to restart the puppet and puppetserver processes after making the changes also.

[tenajsystems]

So I have set export VAULT_TOKEN=<token_here> in /etc/default/pe-puppetserver and also set environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} } in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf. Restarted puppet server and puppet but I keep getting the error below:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, [hiera-vault] no token set in options and no token in VAULT_TOKEN

[petems]

Can you run this test for me:

$ cat /etc/sysconfig/pe-puppetserver | grep TOKEN
$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppetserver.conf | grep TOKEN
$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb
$ pe-puppetserver ruby token.rb
$ pe-puppetserver version

[tenajsystems]

Below are the outputs based on the commands you wanted me to run. Please not that, setting environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} } in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf causes the puppet server to fail to start and each time puppet runs, it fails.

$ cat /etc/default/pe-puppetserver | grep TOKEN
export export VAULT_TOKEN=<token_here>

$ cat /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf | grep TOKEN
environment-vars: { "VAULT_TOKEN" : ${VAULT_TOKEN} }

$ echo 'puts "Vault token is #{ENV['VAULT_TOKEN']}}"' > token.rb (no output)

$  puppetserver ruby token.rb
NameError: uninitialized constant VAULT_TOKEN
  const_missing at org/jruby/RubyModule.java:3748
         <main> at token.rb:1
$ puppetserver version
puppetserver: 'version' is not a puppetserver command. See 'puppetserver --help'.

$ pe-puppetserver version
pe-puppetserver: command not found

Let me know if there is anything else that you would like for me to try. Thanks!

[kosfar]

@tenajsystems I think you have a double export command in your /etc/default/pe-puppetserver, could be a problem with puppetserver start failure. There is also a quote escaping trap in the echo command posted above. This simplifies things a bit:

echo "puts \"Vault token is #{ENV['VAULT_TOKEN']}\"" > token.rb

Btw adding the environment-vars map in /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf worked for me too for Puppetserver 5.3.

[tenajsystems]

Thank you. I decided to just have the token in a text file.