Forge Home


A Puppet master password implementation that uses Puppet server's CA key to automate password creation.


1,925 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.0 (latest)
released Oct 24th 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • , , , , , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'wavesoftware-passless', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add wavesoftware-passless
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install wavesoftware-passless --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



wavesoftware/passless — version 0.1.0 Oct 24th 2019

Passless for Puppet

Travis Build Status AppVeyor Build Status

It's a Puppet master password implementation that uses PuppetServer's CA to automate password creation.

Table of Contents

  1. Description
  2. Usage - Configuration options and additional functionality
  3. Development - Guide for contributing to the module


This module contains a a function passless::secret (and an alias passless) that will generate a password based on a name given. Each password will be generated using a master password algorithm. This algorithm will take a Puppet CA as a master password. Password generated will be unique to Puppet environment.

class { 'postgresql::server':
  postgres_password => passless::secret('postgresql::server'),


A passless::secret function takes a minimum of one argument. That argument is name of password to be generated.

Each password generation can be influenced by providing a options. Options are given on hashmap. Those options are:

  • counter - A sequential password number. Changing the password should be done by advancing this number. Default value is 1.
  • scope - A definition of scope that the password will be generated from. It may be one of (defaults to alnum):
    • num for numeric passwords,
    • alpha for alphabet based passwords, both big and small caps,
    • alnum for alphanumeric passwords, both big and small caps,
    • human for letters and numbers that are easy to distinguish by human,
    • keys for passwords that can be typed by keyboard, so letters, and numbers, and special characters,
    • utf8 these passwords contain utf-8 characters, so also a characters that aren't easy to type by keyboard,
    • list: followed by list of chars that might be used. Ex.: list:abcdef1234567890!$,
  • length - A length of password to be generated in number of signs. Default value is 16.
$options = {
  'counter' => 5,
  'scope'   => 'human',
  'length'  => 24,
user { 'root':
  password => passless::secret("root@${::fqdn}", $options),


Hiera integration isn't done yet (

All options described above can also be set via Hiera. To do this define a key that is created by adding a password name and suffix of ::counter, ::scope, or ::length. Ex.: 13 alnum 32

You can specify a counter both in Puppet code and in Hiera, counters will be summed. Specifying scope or length, in both places isn't supported and will result in compilation error.


Development is described in separate document

Release Notes

See for project release notes.