Puppet Integration

The Secrets Safe module consists of a number of plugins that allow creation and retrieval of secrets in DevOps Secrets Safe.


The functions in this module require an application with permissions to perform read and write actions on the resources you interact with.


Ensure a user exists with a password retrieved from DevOps Secrets Safe, using the format shown here, where bob is the user:

user_password = dss_get_secret('https://my-secrets-safe.com', 'user/passwords:bob', "my_application", "my_api_key")
user { 'bob':
  ensure   => present,
  password => Sensitive($user_password)

Use a DSS generator to generate a password, and then provision a Postgres database using it:

class { 'postgresql::server':

dss_create_secret_with_generator('https://my-secrets-safe.com', 'passwords/db/pg_user', "my_application", "my_api_key", "postgres-password-generator")
$pg_pass = dss_get_secret('https://my-secrets-safe.com', 'passwords/db/pg_user', "my_application", "my_api_key")
postgresql::server::db { 'new_postgres':
  user     => 'pg_user',
  password => postgresql::postgresql_password('pg_user', $pg_pass),

Save a certificate that is on the file system as a secret in DSS:

dss_create_secret_with_file('https://my-secrets-safe.com', 'certs:mycert', "my_application", "my_api_key", "//etc/ssl/certs/ca.crt")


Each of the following functions have some common parameters:

host Data type: String Hostname or IP address of DevOps Secrets Safe instance
app_name Data type: String Name of DSS application used to perform this action
api_key Data type: String API key of the DSS application specified in the app_name parameter
secret_uri Data type: String URI of the secret being operated on
secret_value Data type: String String value of the secret to be stored
generator_name Data type: String Name of the DSS generator used to generate the value for this secret
file_name Data type: String Path to the file which is stored as a secret


Returns the value of a DevOps Secrets Safe secret found at secret_uri.

dss_get_secret(host, secret_uri, app_name, api_key)

Creates a secret at secret_uri using the value of secret_value.

dss_create_secret_with_value (host, secret_uri, app_name, api_key, secret_value)

Creates a secret at secret_uri using the DevOps Secrets Safe generator specified in generator_name.

dss_create_secret_with_generator(host, secret_uri, app_name, api_key, generator_name)

Creates a secret at secret_uri using the file at file_name as the value.

dss_create_secret_with_file(host, secret_uri, app_name, api_key, file_name)