Thanks
Do you have documentation for that? i am using enterprise vault and my
agents are behind firewall so agent certs will not be trusted by vault..
not sure if this will work but can see if this is feasible.
-S
On Thursday, May 25, 2023 at 11:09:09 AM UTC-4 aru...@pixar.com wrote:
> Have you looked at / considered using Puppet’s client cert to authenticate
> to Vault to authenticate and generate a token?
>
> With recent releases of Vault the issue with getting cert metadata exposed
> have been fixed so you can write policies based on trusted facts/cert
> extensions.
>
> On Thu, May 25, 2023 at 08:03 'sli...@verizon.net' via Puppet Users <
> puppet...@googlegroups.com> wrote:
>
>> Thanks I added to /etc/sysconfig/puppet and looks like agent service is
>> up.
>> However, i ran into other issue.
>>
>> I need to pass vault_token to my epp, where i am going to use it.
>>
>> So i have
>>
>> # vault_path is and vault_my_key should look like auth/puppet/MY_KEY
>>
>> $variables = {
>> 'my_key' => Deferred('vault_lookup::lookup',
>> ['$vault_path$vault_my_key']),
>> }
>>
>> and then how should i add this value to epp?
>>
>> content => epp('cmd/some.epp', { 'param1' => $param1, 'my_key' =>
>> Deferred('inline_epp', ['<%= $my_key.unwrap %>', $variables])}),
>>
>> However that gives me error when i run puppet agent -t
>> my_key, expects a string value.
>>
>> What should be the corect way to pass this key to my epp?
>> On Wednesday, May 24, 2023 at 4:27:23 PM UTC-4 Ben Ford wrote:
>>
>>> Deferred functions run on the agent. The Vault connection will be made
>>> from the agent. Therefor, if you configure Vault using environment
>>> variables, you'll want to do so from the agent. If you're using systemd,
>>> you should be able to configure those in the .service file as you suggest.
>>>
>>>
>>>
>>>
>>> On May 24, 2023, at 12:13 PM, 'sli...@verizon.net' via Puppet Users <
>>> puppet...@googlegroups.com> wrote:
>>>
>>> Hello,
>>>
>>> I have vault set up using role and secret id
>>> I downloaded puppetlabs-vault module and saw the code snippet with that
>>> module https://www.puppet.com/integrations/vault-by-hashicorp
>>>
>>> *With vault_lookup::lookup deferred method, i don't want to pass my role
>>> and secret, so other option is set as environment variables. Question is do
>>> i need to set that up on puppet server or puppet agent? Where may be the
>>> best place to set that up? if it is on puppet server, can i set that up in
>>> say puppet.service file? if on agent, where may be the right place to set
>>> that up?*
>>>
>>> *Thanks*
>>>
>>> *S*
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet-users...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/4792f478-c0a9-4b3c-b51e-eef9bc107f0dn%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/puppet-users/4792f478-c0a9-4b3c-b51e-eef9bc107f0dn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>>
>>> *CAUTION:* This email originated from outside of the organization. Do
>>> not click on links or open attachments unless you recognize the sender and
>>> know the content is safe.
>>>
>>>
>>>
>>> This e-mail may contain information that is privileged or confidential.
>>> If you are not the intended recipient, please delete the e-mail and any
>>> attachments and notify us immediately.
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users...@googlegroups.com.
>>
> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/8fb404c5-8223-4d08-ad57-32f675ab288dn%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/8fb404c5-8223-4d08-ad57-32f675ab288dn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
>
> Aaron Russo (He/Him/His)
> PIXAR | Network & Server Admins (NSA) | Senior Systems Engineer
> aru...@pixar.com
> nsa-team.pixar.com (internal-only)
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/c81cfa7c-9880-4284-9cf7-5bcffdade8aen%40googlegroups.com.
