Have you looked at / considered using Puppet’s client cert to authenticate to Vault to authenticate and generate a token?
With recent releases of Vault the issue with getting cert metadata exposed have been fixed so you can write policies based on trusted facts/cert extensions. On Thu, May 25, 2023 at 08:03 '[email protected]' via Puppet Users < [email protected]> wrote: > Thanks I added to /etc/sysconfig/puppet and looks like agent service is up. > However, i ran into other issue. > > I need to pass vault_token to my epp, where i am going to use it. > > So i have > > # vault_path is and vault_my_key should look like auth/puppet/MY_KEY > > $variables = { > 'my_key' => Deferred('vault_lookup::lookup', > ['$vault_path$vault_my_key']), > } > > and then how should i add this value to epp? > > content => epp('cmd/some.epp', { 'param1' => $param1, 'my_key' => > Deferred('inline_epp', ['<%= $my_key.unwrap %>', $variables])}), > > However that gives me error when i run puppet agent -t > my_key, expects a string value. > > What should be the corect way to pass this key to my epp? > On Wednesday, May 24, 2023 at 4:27:23 PM UTC-4 Ben Ford wrote: > >> Deferred functions run on the agent. The Vault connection will be made >> from the agent. Therefor, if you configure Vault using environment >> variables, you'll want to do so from the agent. If you're using systemd, >> you should be able to configure those in the .service file as you suggest. >> >> >> >> >> On May 24, 2023, at 12:13 PM, '[email protected]' via Puppet Users < >> [email protected]> wrote: >> >> Hello, >> >> I have vault set up using role and secret id >> I downloaded puppetlabs-vault module and saw the code snippet with that >> module https://www.puppet.com/integrations/vault-by-hashicorp >> >> *With vault_lookup::lookup deferred method, i don't want to pass my role >> and secret, so other option is set as environment variables. Question is do >> i need to set that up on puppet server or puppet agent? Where may be the >> best place to set that up? if it is on puppet server, can i set that up in >> say puppet.service file? if on agent, where may be the right place to set >> that up?* >> >> *Thanks* >> >> *S* >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/4792f478-c0a9-4b3c-b51e-eef9bc107f0dn%40googlegroups.com >> <https://groups.google.com/d/msgid/puppet-users/4792f478-c0a9-4b3c-b51e-eef9bc107f0dn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> *CAUTION:* This email originated from outside of the organization. Do >> not click on links or open attachments unless you recognize the sender and >> know the content is safe. >> >> >> >> This e-mail may contain information that is privileged or confidential. >> If you are not the intended recipient, please delete the e-mail and any >> attachments and notify us immediately. >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/8fb404c5-8223-4d08-ad57-32f675ab288dn%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/8fb404c5-8223-4d08-ad57-32f675ab288dn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Aaron Russo (He/Him/His) PIXAR | Network & Server Admins (NSA) | Senior Systems Engineer [email protected] nsa-team.pixar.com (internal-only) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAA4bxV5vc_OXM7UnTKXODaqXC06%3DZ3pOCTXh%2ByQ51oP4ZZNXJA%40mail.gmail.com.
