salt.modules.vault module

Functions to interact with Hashicorp Vault.

maintainer:SaltStack
maturity:new
platform:all
note:If you see the following error, you'll need to upgrade requests to atleast 2.4.2
<timestamp> [salt.pillar][CRITICAL][14337] Pillar render error: Failed to load ext_pillar vault: {'error': "request() got an unexpected keyword argument 'json'"}
configuration:

The salt-master must be configured to allow peer-runner configuration, as well as configuration for the module.

Add this segment to the master configuration file, or /etc/salt/master.d/vault.conf:

vault:
    url: https://vault.service.domain:8200
    verify: /etc/ssl/certs/ca-certificates.crt
    auth:
        method: token
        token: 11111111-2222-3333-4444-555555555555
    policies:
        - saltstack/minions
        - saltstack/minion/{minion}
        .. more policies
url

Url to your Vault installation. Required.

verify

For details please see http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

New in version Oxygen.

auth

Currently only token auth is supported. The token must be able to create tokens with the policies that should be assigned to minions. Required.

You can still use the token via a OS environment variable via this config example:

And then export the VAULT_TOKEN variable in your OS:

policies

Policies that are assigned to minions when requesting a token. These can either be static, eg saltstack/minions, or templated, eg saltstack/minion/{minion}. {minion} is shorthand for grains[id]. Grains are also available, for example like this: my-policies/{grains[os]}

If a template contains a grain which evaluates to a list, it will be expanded into multiple policies. For example, given the template saltstack/by-role/{grains[roles]}, and a minion having these grains:

The minion will have the policies saltstack/by-role/web and saltstack/by-role/database. Note however that list members which do not have simple string representations, such as dictionaries or objects, do not work and will throw an exception. Strings and numbers are examples of types which work well.

Optional. If policies is not configured, saltstack/minions and saltstack/{minion} are used as defaults.

Add this segment to the master configuration file, or /etc/salt/master.d/peer_run.conf:

peer_run:
    .*:
        - vault.generate_token
salt.modules.vault.delete_secret(path)

Delete secret at the path in vault. The vault policy used must allow this.

CLI Example:

salt '*' vault.delete_secret "secret/my/secret"
salt.modules.vault.list_secrets(path)

List secret keys at the path in vault. The vault policy used must allow this. The path should end with a trailing slash.

CLI Example:

salt '*' vault.list_secrets "secret/my/"
salt.modules.vault.read_secret(path, key=None)

Return the value of key at path in vault, or entire secret

Jinja Example:

my-secret: {{ salt['vault'].read_secret('secret/my/secret', 'some-key') }}
{% set supersecret = salt['vault'].read_secret('secret/my/secret') %}
secrets:
    first: {{ supersecret.first }}
    second: {{ supersecret.second }}
salt.modules.vault.write_secret(path, **kwargs)

Set secret at the path in vault. The vault policy used must allow this.

CLI Example:

salt '*' vault.write_secret "secret/my/secret" user="foo" password="bar"