AWS Secrets Manager as a Hiera Backend

We use both Puppet and AWS extensively. Historically, we’ve managed secrets with eyaml and git. This allows version control and recovery of secrets, but requires the decryption key(s) to be stored on the same disk as the secrets.

We’ve evaluated Hashicorp’s Vault as a secrets management solution. While it is robust and full of appealing features, it requires deploying and managing an infrastructure around it – especially if you want high availability. This isn’t a barrier for many clients, but for many clients, Amazon’s recently announced Secrets Manager is very appealing.

To that end, we’ve written a simple Hiera 5 (Puppet 4.9+) backend to allow Hiera to lookup string secrets Secrets Manager. It’s been donated by Possible Finance on github.

Features:

  • Works with an instance profile.
  • Allows confining lookups to certain keys for performance.
  • Supports a proxy for properly isolated environments.
  • Can return all secrets pre-wrapped in Puppet 4+’s Sensitive() wrapper.

We are especially enamored with the last feature: we use Sensitive() extensively and this means not needing to remember to wrap a secret in order for it to be redacted. Deploying a secret as a file and redacting it is trivial:

$secret_key = lookup('secret_key', String)
file { '/etc/secret.key':
  content => $secret
  ...
}

Produces:

Notice: /Stage[main]/Secret/File[/etc/secret.key]/content: [diff redacted]

Configuration is familiar if you’ve used a Hiera plugin backend before:

- namename: : ""AWS Secrets Manager"
  lookup_key: "hiera_awssm"
  options:
    confine_to_keys:
      - "^puppet_secrets/.*"
    proxy_uri: "http://myproxy:8080"
    region: "us-east-1"
    sensitive: true

See the README for more information.

Note that this is an early version. We welcome contributors. It is particularly in need of unit testing and other Puppet Forge requirements.