GithubHelp home page GithubHelp logo

puppetlabs-vault's Introduction

Bolt Vault plugin

This module provides a plugin which allows config values to be set by accessing secrets from a Key/Value engine on a Vault server.

Table of Contents

  1. Requirements
  2. Usage
  3. Examples

Requirements

You will need to have a Vault server running, and a way to authenticate with the server

Usage

The Vault plugin supports several options:

  • server_url: The URL of the Vault server (optional, defaults to ENV['VAULT_ADDR'])
  • auth: The method for authorizing with the Vault server and any necessary parameters (optional, defaults to ENV['VAULT_TOKEN'])
  • path: The path to the secrets engine (required)
  • field: The specific secret being used (optional, defaults to a Ruby hash of all secrets at the path)
  • version: The version of the K/V engine (optional, defaults to 1)
  • cacert: Path to the CA certificate (optional, required if using TLS)

Authentication Methods

Vault requires a token to assign an identity and set of policies to a user before accessing secrets. The Vault plugin offers 2 authentication methods:

Token

Authenticate using a token. This method requires the following fields:

  • method: The value of method must be token
  • token: The token to authenticate with

Userpass

Request a token by logging into the Vault server with a username and password. This method requires the following fields:

  • method: The value of method must be userpass
  • user: The username
  • pass: The password

Examples

You can add any Vault plugin field to the inventory configuration. The following example shows how you would access the private-key secret on a KVv2 engine mounted at secrets/bolt:

version: 2
targets:
  - ...
config:
  ssh:
    user: root
    private-key:
      key-data:
        _plugin: vault
        server_url: http://127.0.0.1:8200
        auth:
          method: userpass
          user: bolt
          pass: bolt
        path: secrets/bolt
        field: private-key
        version: 2

You can also set configuration in your Bolt config file under the plugins field. If a field is set in both the inventory file and the config file, Bolt will use the value set in the inventory file. The available fields for the config file are:

  • server_url
  • cacert
  • auth
plugins:
  vault:
    server_url: https://127.0.0.1:8200
    cacert: /path/to/ca
    auth:
      method: token
      token: xxxxx-xxxxx

puppetlabs-vault's People

Contributors

adreyer avatar beechtom avatar donoghuc avatar lucywyman avatar nicklewis avatar sharumpe avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

lucywyman donoghuc neatnerdprime beechtom isabella232 amishhammer

puppetlabs-vault's Issues

Retrieve from cubbyhole

Use Case

Sometimes, logins are not done through a generic account but through a personal account with sudo capability.
Specifying the sudo-password as clear text inside the Bolt inventory file is not recommended.
Moreover the personal account password should not be shared in Vault and so resides in the cubbyhole.

Describe the Solution You Would Like

Using a configuration like the following would be interesting

version: 2
targets:
  - ...
config:
  transport: ssh
  ssh:
     user:
        _plugin: vault
        path: cubbyhole/admin_account
        field: user
     password:
        _plugin: vault
        path: cubbyhole/admin_account
        field: password

     run-as: root
     sudo-password:
        _plugin: vault
        path: cubbyhole/admin_account
        field: password

It looks like the standard KV engine but may require a parameter specifying the kind of secret engine used.

Alternative

As an alternative, user specific path in a KV may be used along ACL templating.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.