salt.modules.vault module

maintainer:SaltStack
maturity:new
platform:all

Functions to interact with Hashicorp Vault.

configuration:

The salt-master must be configured to allow peer-runner configuration, as well as configuration for the module.

Add this segment to the master configuration file, or /etc/salt/master.d/vault.conf:

vault:
    url: https://vault.service.domain:8200
    auth:
        method: token
        token: 11111111-2222-3333-4444-555555555555
    policies:
        - saltstack/minions
        - saltstack/minion/{minion}
        .. more policies
url

Url to your Vault installation. Required.

auth

Currently only token auth is supported. The token must be able to create tokens with the policies that should be assigned to minions. Required.

policies

Policies that are assigned to minions when requesting a token. These can either be static, eg saltstack/minions, or templated, eg saltstack/minion/{minion}. {minion} is shorthand for grains[id]. Grains are also available, for example like this: my-policies/{grains[os]}

If a template contains a grain which evaluates to a list, it will be expanded into multiple policies. For example, given the template saltstack/by-role/{grains[roles]}, and a minion having these grains:

The minion will have the policies saltstack/by-role/web and saltstack/by-role/database. Note however that list members which do not have simple string representations, such as dictionaries or objects, do not work and will throw an exception. Strings and numbers are examples of types which work well.

Optional. If policies is not configured, saltstack/minions and saltstack/{minion} are used as defaults.

Add this segment to the master configuration file, or /etc/salt/master.d/peer_run.conf:

peer_run:
    .*:
        - vault.generate_token
salt.modules.vault.delete_secret(path)

Delete secret at the path in vault. The vault policy used must allow this.

CLI Example:

salt.modules.vault.list_secrets(path)

List secret keys at the path in vault. The vault policy used must allow this. The path should end with a trailing slash.

CLI Example:

salt.modules.vault.read_secret(path, key=None)

Return the value of key at path in vault, or entire secret

Jinja Example:

my-secret: {{ salt['vault'].read_secret('secret/my/secret', 'some-key') }}
{% set supersecret = salt['vault'].read_secret('secret/my/secret') %}
secrets:
    first: {{ supersecret.first }}
    second: {{ supersecret.second }}
salt.modules.vault.write_secret(path, **kwargs)

Set secret at the path in vault. The vault policy used must allow this.

CLI Example: