Tutorial - Puppet
The conjur Puppet module provides a comprehensive solution for managing machine identity and distributing secrets through Puppet. Conjur + Puppet has clear advantages over other approaches to secrets management such as hiera-eyaml and hiera-vault:
- Access to secrets is controlled separately for each node.
- No “master key” is installed on the Puppet master; in fact, the Puppet master does not hold any long-lived key to the secrets vault at all.
- Access to secrets is managed via machine identity and role-based access control policies, which are kept in source control.
As a result, the “blast radius” of a compromised node or Puppet master is minimized. Only those secrets available to a node are revealed to an attacker. A stolen backup of the Puppet master reveals no secrets at all.
- A Conjur installation
- A client machine with the Puppet agent installed
When we run Puppet, the manifest will perform the following steps:
- Configure the client node’s connection to Conjur.
- Assign an identity to the client node.
- Authenticate the node with Conjur.
- Fetch the database password from Conjur and merge this into a template file.
- Store the file on the client node.
conjur-conjur module provides supporting functions for these operations.
Load the Policy
As with all Conjur workflows, we begin by defining the policies.
Save this file as “conjur.yml”:
variable:db/passwordContains the database password.
layer:myappA layer (group of hosts) with access to the password.
host_factory:myappUsed to create individual hosts and enroll them into
Load the policy using the following command:
Load the Database Password
Next, we need to populate the database password with a secret value. Use the CLI to verify that the variable exists in Conjur:
Now, use OpenSSL to generate a random secret, and load it into the variable:
Create the Host Factory Token
In the introduction, we mentioned that the Puppet manifest assigns a Conjur identity to the client node. For this purpose, we use the Conjur Host Factory.
Create a host factory token for use by Puppet:
token that you see above can be used to enroll machines into the “myapp” layer.
Create the Manifest
Now it’s time to build the Puppet manifest. The manifest needs to do two things:
- Configure the connection to Conjur.
- Assign the machine identity.
For the first task, we supply the appropriate values for
appliance_url. For the second, we use the host factory token. The manifest uses the host factory token to create a Conjur host called “myapp-01” which belongs to the
myapp layer. Then it uses the privileges granted to the host by layer membership to fetch the database password.
Create the following Puppet manifest:
Install the conjur Module
For the manifest to work, you need to install the
conjur-conjur Puppet module:
Now, run Puppet:
TODO: success message