Get value of encrypted data from hiera-eyaml into puppet template

Question

Puppet 7

I have a template:

[nondefault]
aws_secret_access_key = <%= scope().call_function('lookup', 
 ['profile::aws::app_environment::secret_key']) %>
aws_access_key_id     = <%= scope().call_function('lookup', 
 ['profile::aws::app_environment::access_key']) %>

I deploy the template like so:

file { 'kms_config.yaml':
     path    => "${homedir}/.aws/credentials",
     content => template('puppet/server/aws_creds.erb'),
     ensure  => file,
     mode    => '0600',
     owner   => 'root'
 }

which results in:

# cat .aws/credentials
[nondefault]
aws_secret_access_key = Sensitive [value redacted]
aws_access_key_id     = Sensitive [value redacted]

My question is, how do I get the actual value, instead of Sensitive [value redacted], in the file?

Answer 1

which results in:

# cat .aws/credentials
[nondefault]
aws_secret_access_key = Sensitive [value redacted]
aws_access_key_id     = Sensitive [value redacted]

Presumably, this is because $profile::aws::app_environment::secret_key and $profile::aws::app_environment::access_key have data type Sensitive.

My question is, how do I get the actual value, instead of Sensitive [value redacted], in the file?

I haven't used Sensitive much, and I suspect that it was not intended to interact with templates in the way you show, but there are at least three possible solutions:

1. Use Puppet's unwrap function in your template to extract the underlying values from the Sensitive objects; OR

2. Create ordinary (non-parameter^*) class variables in profile::aws::app_environment to store the wanted values as plain strings (you might even have such already). Retrieve the values of those instead of the values of the variables you are now referencing. OR

3. Change the data types of $profile::aws::app_environment::secret_key and $profile::aws::app_environment::access_key to String. Note well that this has security implications, but those may be moot under the circumstances because it looks like you'll be recording the cleartext values in a file on the target machine's filesystem.

---

^* You don't want to use class parameters for this because that would defeat the purpose of the existing variables being Sensitive (see option (3)).

Answer 2

Best approach is to use unwrap() or .unwrap function where applicable in puppet/template code. Works also for common String (simply prints it).

aws_access_key_id     = <%= unwrap($access_key) %>
aws_secret_access_key = <%= $secret_access_key.unwrap %>

Types can be easily configured to accept both Sensitive and String:

Variant[String, Sensitive[String]] $db_password

In Hiera you should be using alias to reference Sensitive value:

aws::secret_key: "%{alias('profile::aws::app_environment::secret_key')}"

Note, in order to encrypt data in transit you should be using:

lookup_options:
  profile::aws::app_environment::secret_key:
    convert_to: Sensitive
  '^\w+_password$':
    convert_to: Sensitive