Puppet Integration

The Secrets Safe module consists of a number of plugins that allow creation and retrieval of secrets in DevOps Secrets Safe.

Setup Requirements

The functions in this module requre a running instance of DSS and an application with permissions to perform read and write permissions on the resources you interact with.


Ensure a user exists with a password retrieved from DSS, using the example shown, where bob is the user:

$user_password = dss_get_secret('https://my-secrets-safe.com', 'user/passwords:bob', "my_application", "my_api_key")
user { 'bob':
  ensure   => present,
  password => Sensitive($user_password)

Use a Secrets Safe generator to generate a password, and then provision a Postgres database using it:

class { 'postgresql::server':

dss_create_secret_with_generator('https://my-secrets-safe.com', 'passwords/db/pg_user', "my_application", "my_api_key", "postgres-password-generator")
$pg_pass = dss_get_secret('https://my-secrets-safe.com', 'passwords/db/pg_user', "my_application", "my_api_key")
postgresql::server::db { 'new_postgres':
  user     => 'pg_user',
  password => postgresql::postgresql_password('pg_user', $pg_pass),

Save a certificate that is on the file system as a secret in DSS:

dss_create_secret_with_file('https://my-secrets-safe.com', 'certs:mycert', "my_application", "my_api_key", "//etc/ssl/certs/ca.crt")


Common Parameters

Each of the following functions have some common parameters:

host Data type: String Hostname or IP address of Secrets Safe instance
app_name Data type: String Name of Secrets Safe application used to perform this action
api_key Data type: String API key of the Secrets Safe application specified in the app_name parameter
secret_uri Data type: String URI of the secret being operated on
secret_value Data type: String String value of the secret to be stored
generator_name Data type: String Name of the Secrets Safe generator used to generate the value for this secret
file_name Data type: String Path to the file which will be stored as a secret


dss_get_secret(host, secret_uri, app_name, api_key)

Returns the value of a Secrets Safe secret found at secret_uri.

dss_create_secret_with_value (host, secret_uri, app_name, api_key, secret_value)

Creates a secret at secret_uri using the value of secret_value.

dss_create_secret_with_generator(host, secret_uri, app_name, api_key, generator_name)

Creates a secret at secret_uri using the Secrets Safe generator specified in generator_name.

dss_create_secret_with_file(host, secret_uri, app_name, api_key, file_name)

Creates a secret at secret_uri using the file at file_name as the value.