maintainer: | SaltStack |
---|---|
maturity: | new |
platform: | all |
Functions to interact with Hashicorp Vault.
configuration: | The salt-master must be configured to allow peer-runner configuration, as well as configuration for the module. Add this segment to the master configuration file, or /etc/salt/master.d/vault.conf: vault:
url: https://vault.service.domain:8200
auth:
method: token
token: 11111111-2222-3333-4444-555555555555
policies:
- saltstack/minions
- saltstack/minion/{minion}
.. more policies
Add this segment to the master configuration file, or /etc/salt/master.d/peer_run.conf: peer_run:
.*:
- vault.generate_token
|
---|
salt.modules.vault.
delete_secret
(path)¶Delete secret at the path in vault. The vault policy used must allow this.
CLI Example:
salt '*' vault.delete_secret "secret/my/secret"
salt.modules.vault.
list_secrets
(path)¶List secret keys at the path in vault. The vault policy used must allow this. The path should end with a trailing slash.
CLI Example:
salt '*' vault.list_secrets "secret/my/"
salt.modules.vault.
read_secret
(path, key=None)¶Return the value of key at path in vault, or entire secret
Jinja Example:
my-secret: {{ salt['vault'].read_secret('secret/my/secret', 'some-key') }}
{% set supersecret = salt['vault'].read_secret('secret/my/secret') %}
secrets:
first: {{ supersecret.first }}
second: {{ supersecret.second }}
salt.modules.vault.
write_secret
(path, **kwargs)¶Set secret at the path in vault. The vault policy used must allow this.
CLI Example:
salt '*' vault.write_secret "secret/my/secret" user="foo" password="bar"