Hi Lindsay and Thomas, Thanks for your documentation - I'm having some problems getting the client lookup to work.
I have the Puppetserver CA setup in Vault, and the Vault servers Puppet certificate and private key configured. I have added the Puppetserver CA to the trusted roots, per: https://github.com/hashicorp/vault/issues/438 I have configured Vault ('auth enable cert', 'vault write auth/cert/certs/puppetserver...') successfully (or so it seems) and Vault is unlocked. Now I can get a test lookup to work using this CURL command - curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" https://vault1.domain.com:8200/v1/secret/test But configuring via Puppet code, I get - Error: Failed to apply catalog: Received 403 response code from vault at vault1.domain.com for secret lookup (api errors: ["1 error occurred:\n\t* permission denied\n\n"]) Any ideas what I'm missing? On Saturday, October 13, 2018 at 2:20:02 AM UTC+11, Lindsey Smith wrote: > > > > On Wed, Oct 10, 2018 at 5:28 AM Thomas Müller <[email protected] > <javascript:>> wrote: > >> >> >> Am Dienstag, 9. Oktober 2018 14:12:39 UTC+2 schrieb comport3: >>> >>> Mentioned in the Puppet 6 release notes are the ability for a client to >>> lookup secret data from Vault. >>> >>> Is there any more info on how to implement this? >>> >>> I have done extensive work on POC environments that use Vault as a top >>> level in Hierarchy and mark the secrets as 'sensitive' so they do not >>> appear in logs and reports, but do not want to continue deploying this >>> methodology if it's not the way the technology is headed. >>> >>> https://github.com/comport3/puppet5-hiera-vault-poc >>> >> >> from https://puppet.com/docs/puppet/6.0/using_a_deferred_function.html : >> >> The Forge already hosts some community modules that provide integrations >>> with secret store, like the following: >>> >>> - >>> >>> Azure Key Vault: works on both the master and the server >>> - >>> >>> Cyberark Conjur: works on the master >>> - >>> >>> Cyberark AIM: works on the agent >>> - >>> >>> Hashicorp Vault: works on the agent >>> - >>> >>> AWS Secrets Manager: works on the agent >>> >>> but it does not directly link the modules. >> > > Apologies for not updating the docs in the last couple of days. The > agent-side Vault integration lives here: > https://github.com/voxpupuli/puppet-vault_lookup (coming soon to the > Forge) > > See also the related blog post: > https://puppet.com/blog/secret-agents-man-secrets-store-integrations-puppet-6 > > >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/c44e5f05-fefe-40d6-90d0-4471fb33a9a0%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/c44e5f05-fefe-40d6-90d0-4471fb33a9a0%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4a4441b7-503b-49dd-a3e6-7b982f4fc3c4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
