If you're referring to hiera-eyaml-vault <https://github.com/crayfishx/hiera-eyaml-vault>, that's not pulling secrets out of Vault -- it's using the transit encryption provider in place of gpg keys and storing those in yaml. It's a neat approach but not what I'm looking for.
There is petems-hiera_vault <https://github.com/petems/petems-hiera_vault> which is close -- it retrieves secrets straight from Vault, but the puppet server is doing the retrieving and means that the server needs privileged access to all the secrets in Vault that agents' would need. vault_lookup <https://github.com/voxpupuli/puppet-vault_lookup> uses Deferred functions to have the agent authenticate and retrieve secrets from Vault, which lets me assign a policy based on the host, so it can only see the secrets it needs. It works great! I simply want that functionality in hiera. What I've done is similar to petems-hiera_vault except I return a Deferred function to perform the vault_lookup::lookup on the agent side rather than perform the vault lookup on the server side. Thanks, Aaron -- Aaron Russo (He/Him/His) PIXAR | Senior Systems Engineer On Tue, Nov 1, 2022 at 11:34 PM 'Dirk Heinrichs' via Puppet Users < puppet-users@googlegroups.com> wrote: > Am Freitag, dem 21.10.2022 um 11:49 -0700 schrieb Aaron Russo: > > However it feels like an anti-pattern by forcing lookups into our > manifests when we want to keep that in Hiera. I found a previous related > thread[2] where Henrik suggested writing a custom backend for Hiera and > return a Deferred. > > > hiera-eyaml has a plugin for retrieving secrets from Vault. Did you try > that? > > HTH... > > Dirk > > -- > > *Dirk Heinrichs* > Senior Systems Engineer, Delivery Pipeline > OpenText ™ Discovery | Recommind > *Phone*: +49 2226 15966 18 > *Email*: dhein...@opentext.com > *Website*: www.recommind.de > Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach > Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, > Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646 > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) > please notify the sender immediately and destroy this e-mail. Any > unauthorized copying, disclosure or distribution of the material in this > e-mail is strictly forbidden > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail sind nicht gestattet. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/7897bf9d6301f9bad84d762de8a0e7d35dfd2572.camel%40opentext.com > <https://groups.google.com/d/msgid/puppet-users/7897bf9d6301f9bad84d762de8a0e7d35dfd2572.camel%40opentext.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAA4bxV4Ajn8W%3D4fhAa-TAOAhLjz%2B0K1jO6QNYuETGXuxHSZvfQ%40mail.gmail.com.
