vault

Use secrets sourced from Vault in minion pillars.

Important

This module requires the general Vault setup.

Warning

A minion must not be able to write to its own pillar source path, otherwise a core security assumption in Salt is violated.

Changed in version 1.0.0: Previous versions of this pillar module found in Salt core were configured with a parameter named conf, expecting a single value representing the path to include in the pillar with the prefix path=. This parameter has been deprecated. Please configure this pillar module either by just passing the path or declaring it as path: <path>.

Setup

Include this module in your ext_pillar configuration:

ext_pillar:
  - vault: salt/global

Hint

You can also include multiple instances of this module in your configuration.

Now all keys of the Vault KV path salt/global are inserted into each minion’s pillar, which is quite inflexible and usually not what is wanted. To work around that, you can template the path.

ext_pillar:
  - vault: salt/minions/{minion}
  - vault: salt/roles/{pillar[roles]}

Note

There is currently no top.sls equivalent.

Note

If a pattern matches multiple paths, the results are merged according to the master configuration values pillar_source_merging_strategy and pillar_merge_lists by default. If the optional nesting_key is defined, the merged result is nested below. There is currently no way to nest multiple results under different keys.

Configuration reference

path

The path to include in the minion pillars. Can be templated.

nesting_key

The Vault-sourced pillar values are usually merged into the root of the pillar. This option allows you to specify a parent key under which all values are nested. If the key contains previous values, they are merged.

merge_strategy

When multiple paths are matched by a templated path, use this merge strategy instead of pillar_source_merging_strategy.

merge_lists

Override the default set by pillar_merge_lists.

Complete configuration

ext_pillar:
  - vault:
       path: salt/roles/{pillar[roles]}
       nesting_key: vault_sourced
       merge_strategy: smart
       merge_lists: false
saltext.vault.pillar.vault.ext_pillar(minion_id, pillar, path=None, nesting_key=None, merge_strategy=None, merge_lists=None, extra_minion_data=None, conf=None)[source]

Get pillar data from Vault for the configuration conf.