salt.renderers.pass module

Pass Renderer for Salt

pass is an encrypted on-disk password store.

New in version 2017.7.0.

Setup

Note: <user> needs to be replaced with the user salt-master will be running as.

Have private gpg loaded into user's gpg keyring

load_private_gpg_key:
  cmd.run:
    - name: gpg --import <location_of_private_gpg_key>
    - unless: gpg --list-keys '<gpg_name>'

Said private key's public key should have been used when encrypting pass entries that are of interest for pillar data.

Fetch and keep local pass git repo up-to-date

update_pass:
  git.latest:
    - force_reset: True
    - name: <git_repo>
    - target: /<user>/.password-store
    - identity: <location_of_ssh_private_key>
    - require:
      - cmd: load_private_gpg_key

Install pass binary

pass:
  pkg.installed
salt.renderers.pass.render(pass_info, saltenv=u'base', sls=u'', argline=u'', **kwargs)

Fetch secret from pass based on pass_path