vault

Use secrets sourced from Vault (or OpenBao) in minion pillars.

Important

This module requires the general Vault setup.

Warning

A minion must not be able to write to its own pillar source path, otherwise a core security assumption in Salt is violated.

Changed in version 1.0.0: Previous versions of this pillar module found in Salt core were configured with a parameter named conf, expecting a single value representing the path to include in the pillar with the prefix path=. This parameter has been deprecated. Please configure this pillar module either by just passing the path or declaring it as path: <path>.

Setup

Include this module in your ext_pillar configuration:

ext_pillar:
  - vault: salt/global

Hint

You can also include multiple instances of this module in your configuration.

Now all keys of the Vault KV path salt/global are inserted into each minion’s pillar, which is quite inflexible and usually not what is wanted. To work around that, you can template the path.

ext_pillar:
  - vault: salt/minions/{minion}
  - vault: salt/roles/{pillar[roles]}

Note

There is currently no top.sls equivalent.

Note

If a pattern matches multiple paths, the results are merged according to the master configuration values pillar_source_merging_strategy and pillar_merge_lists by default. If the optional nesting_key is defined, the merged result is nested below. There is currently no way to nest multiple results under different keys.

Nested keys

A Vault secret can contain arbitrarily nested JSON. Suppose minions with the testrole role need the following pillar data:

foobar:
  users:
    barbaz:
      password: correct horse battery staple

You can write this data into their pillar path in Vault:

 vault kv put -mount=salt roles/testrole - <<EOF
{"foobar": {"users": {"barbaz": {"password": "correct horse battery staple"}}}}
EOF

Configuration reference

path

Path to include in the minion pillars. Can be templated.

nesting_key

Vault-sourced pillar values are usually merged into the root of the pillar. This option allows you to specify a parent key under which all values are nested. If the key contains previous values, they are merged.

merge_strategy

When multiple paths are matched by a templated path, use this merge strategy instead of pillar_source_merging_strategy.

merge_lists

Override the default set by pillar_merge_lists.

Complete configuration

ext_pillar:
  - vault:
       path: salt/roles/{pillar[roles]}
       nesting_key: vault_sourced
       merge_strategy: smart
       merge_lists: false
saltext.vault.pillar.vault.ext_pillar(minion_id, pillar, path=None, nesting_key=None, merge_strategy=None, merge_lists=None, extra_minion_data=None, conf=None)[source]

Get pillar data from Vault for the configuration conf.