Search code examples
puppethieraeyaml

Get value of encrypted data from hiera-eyaml into puppet template

Puppet 7

I have a template:

[nondefault]
aws_secret_access_key = <%= scope().call_function('lookup', 
 ['profile::aws::app_environment::secret_key']) %>
aws_access_key_id     = <%= scope().call_function('lookup', 
 ['profile::aws::app_environment::access_key']) %>

I deploy the template like so:

file { 'kms_config.yaml':
     path    => "${homedir}/.aws/credentials",
     content => template('puppet/server/aws_creds.erb'),
     ensure  => file,
     mode    => '0600',
     owner   => 'root'
 }

which results in:

# cat .aws/credentials
[nondefault]
aws_secret_access_key = Sensitive [value redacted]
aws_access_key_id     = Sensitive [value redacted]

My question is, how do I get the actual value, instead of Sensitive [value redacted], in the file?

Solution

  • which results in:

    # cat .aws/credentials
[nondefault]
aws_secret_access_key = Sensitive [value redacted]
aws_access_key_id     = Sensitive [value redacted]

    Presumably, this is because $profile::aws::app_environment::secret_key and $profile::aws::app_environment::access_key have data type Sensitive.

    My question is, how do I get the actual value, instead of Sensitive [value redacted], in the file?

    I haven't used Sensitive much, and I suspect that it was not intended to interact with templates in the way you show, but there are at least three possible solutions:

    1. Use Puppet's unwrap function in your template to extract the underlying values from the Sensitive objects; OR

    2. Create ordinary (non-parameter*) class variables in profile::aws::app_environment to store the wanted values as plain strings (you might even have such already). Retrieve the values of those instead of the values of the variables you are now referencing. OR

    3. Change the data types of $profile::aws::app_environment::secret_key and $profile::aws::app_environment::access_key to String. Note well that this has security implications, but those may be moot under the circumstances because it looks like you'll be recording the cleartext values in a file on the target machine's filesystem.

    * You don't want to use class parameters for this because that would defeat the purpose of the existing variables being Sensitive (see option (3)).