Functions to interact with Hashicorp Vault.
SaltStack
new
all
If you see the following error, you'll need to upgrade requests
to atleast 2.4.2
<timestamp> [salt.pillar][CRITICAL][14337] Pillar render error: Failed to load ext_pillar vault: {'error': "request() got an unexpected keyword argument 'json'"}
The salt-master must be configured to allow peer-runner configuration, as well as configuration for the module.
Add this segment to the master configuration file, or /etc/salt/master.d/vault.conf:
vault:
url: https://vault.service.domain:8200
verify: /etc/ssl/certs/ca-certificates.crt
auth:
method: token
token: 11111111-2222-3333-4444-555555555555
policies:
- saltstack/minions
- saltstack/minion/{minion}
.. more policies
Url to your Vault installation. Required.
For details please see http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
New in version 2018.3.0.
Currently only token auth is supported. The token must be able to create tokens with the policies that should be assigned to minions. Required.
You can still use the token via a OS environment variable via this config example:
And then export the VAULT_TOKEN variable in your OS:
Policies that are assigned to minions when requesting a token. These can
either be static, eg saltstack/minions, or templated, eg
saltstack/minion/{minion}
. {minion}
is shorthand for grains[id].
Grains are also available, for example like this:
my-policies/{grains[os]}
If a template contains a grain which evaluates to a list, it will be
expanded into multiple policies. For example, given the template
saltstack/by-role/{grains[roles]}
, and a minion having these grains:
The minion will have the policies saltstack/by-role/web
and
saltstack/by-role/database
. Note however that list members which do
not have simple string representations, such as dictionaries or objects,
do not work and will throw an exception. Strings and numbers are
examples of types which work well.
Optional. If policies is not configured, saltstack/minions
and
saltstack/{minion}
are used as defaults.
Add this segment to the master configuration file, or /etc/salt/master.d/peer_run.conf:
peer_run:
.*:
- vault.generate_token
salt.modules.vault.
delete_secret
(path)¶Delete secret at the path in vault. The vault policy used must allow this.
CLI Example:
salt '*' vault.delete_secret "secret/my/secret"
salt.modules.vault.
list_secrets
(path)¶List secret keys at the path in vault. The vault policy used must allow this. The path should end with a trailing slash.
CLI Example:
salt '*' vault.list_secrets "secret/my/"
salt.modules.vault.
read_secret
(path, key=None)¶Return the value of key at path in vault, or entire secret
Jinja Example:
my-secret: {{ salt['vault'].read_secret('secret/my/secret', 'some-key') }}
{% set supersecret = salt['vault'].read_secret('secret/my/secret') %}
secrets:
first: {{ supersecret.first }}
second: {{ supersecret.second }}
salt.modules.vault.
write_secret
(path, **kwargs)¶Set secret at the path in vault. The vault policy used must allow this.
CLI Example:
salt '*' vault.write_secret "secret/my/secret" user="foo" password="bar"