Puppet Bolt Vault Plugin

bolt-linux-command.sh

bolt plan run facts -i inventory.yaml --targets=linuxnode1

bolt-policy.hcl

path "secret/data/credentials/*" {
  capabilities = ["read"]
}
path "secret/metadata/credentials/*" {
  capabilities = ["list","read"]
}

bolt-token.yaml

modulepath: "~/.puppetlabs/bolt-code/modules:~/.puppetlabs/bolt-code/site-modules"
concurrency: 10
format: human
winrm:
  ssl: false
ssh:
  host-key-check: false
plugins:
  vault:
    server_url: http://127.0.0.1:8200
    auth:
      method: token
      token: s.3649w1Fh80RtwSteoDzWuDUi

bolt-userpass.yaml

modulepath: "~/.puppetlabs/bolt-code/modules:~/.puppetlabs/bolt-code/site-modules"
concurrency: 10
format: human
winrm:
  ssl: false
ssh:
  host-key-check: false
plugins:
  vault:
    server_url: http://127.0.0.1:8200
    auth:
      method: userpass
      user: puppetbolt
      pass: Password123

bolt-windows-command.sh

bolt plan run facts -i inventory.yaml --targets=winnode1

generate-token.sh

vault token create -policy=bolt

linux-inventory.yaml

version: 2
targets:
  - uri: linuxnode1
    config:
      transport: ssh
      ssh:
        user: root
        private-key:
          key-data:
            _plugin: vault
            path: secret/credentials/linux
            field: privatekey
            version: 2

linux-privatekey.sh

vault kv put secret/credentials/linux privatekey=@bolt_id_rsa

token-gen-output.sh

Key                  Value
---                  -----
token                s.3649w1Fh80RtwSteoDzWuDUi
token_accessor       Ki4onGqPfwdnMVJQFX40ddqZ
token_duration       768h
token_renewable      true
token_policies       ["bolt" "default"]
identity_policies    []
policies             ["bolt" "default"]

userpass-create.sh

vault write auth/userpass/users/puppetbolt password=Password123 policies=bolt

userpass-enable.sh

vault auth enable userpass

userpass-login-output.sh

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.Xd4v1qoCtnKEnDHjzYTRm1KC
token_accessor         1ZRZUUYfWRJOGNBj8qnbRGvf
token_duration         768h
token_renewable        true
token_policies         ["bolt" "default"]
identity_policies      []
policies               ["bolt" "default"]
token_meta_username    puppetbolt

userpass-login.sh

vault login -method=userpass username=puppetbolt

vault-policy-write.sh

vault policy write bolt bolt-policy.hcl

vault-startup.sh

vault server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8200

windows-inventory.yaml

version: 2
targets:
  - uri: winnode1
    config:
      transport: winrm
      winrm:
        user: administrator
        password:
          _plugin: vault
          path: secret/credentials/windows
          field: password
          version: 2

windows-password.sh

vault kv put secret/credentials/windows password=Puppet123