Forge Home


Secret retrieval and put for Vault


177 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.1 (latest)
  • 0.1.0 (deleted)
released Mar 20th 2023
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0
  • , , , , ,
  • wault

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'itmage-wault', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add itmage-wault
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install itmage-wault --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



itmage/wault — version 0.1.1 Mar 20th 2023

Table of Contents

  1. Description
  2. Requirements
  3. Usage, Configuration, and Examples


For Puppet 6+ users wanting to use secrets from Hashicorp Vault on their Puppet agents, this Puppet module provides the wault::password() function.

When used with Puppet 6's Deferred type, the function allows agents to retrieve or put secrets for Vault when a catalog is applied rather than compiled. In this way, the secret data is not embedded in the catalog and the Puppetserver does not need permissions to read all your Vault secrets.


This modules assumes the following:

  1. Puppet 6+
  2. An existing Vault infrastructure

The wault::password() function is expected to be run with the Deferred type; as such, Puppet 6 or later is required.

And as this function is meant to read secrets from Vault, an existing Vault infrastructure is assumed to be up and reachable by your Puppet agents.


Install this module as you would in any other; the necessary code will be distributed to Puppet agents via pluginsync.

In your manifests, call the wault::password() function using the Deferred type. For example:

file { '/tmp/password1':
  content => Deferred('wault::password',
      'password1', { 'facts' => ['kernel'] }

file { '/tmp/password2':
  content => Deferred('wault::password',
      'password2', {
        'facts'  => ['kernel', 'is_virtual'],
        'expire' => '1 week'

Configuring the Wault password

The lookup done by wault::password() can be configured in two ways: a hash of options, configuration file.

In all cases, the path to the secret is the first positional argument and is required. All other arguments are optional. Arguments in [square brackets] below are optional.

Options Hash

wault::password( <name>, [<options_hash>] )

Usage Examples

Here are some examples of each method:

# Running a function on a agent node
$out = Deferred('wault::password',
  [ 'example', {
      'facts'  => ['kernel', 'is_virtual'],
      'expire' => '1 week'
    } ]

#  If you need to put a value in a string
$out = Deferred('wault::password',[
    'my_parameter_in_vault', {'facts' => ['kernel']}
file { '/etc/config.env':
    ensure  => file,
    content => Deferred('sprintf',['PARAMETER=%s', $out])

# Running a function on a server node
$password = wault::password('example')
$other_password = wault::password('other',
    'facts'  => ['kernel', 'is_virtual'],
    'expire' => '1 week'