Puppet 7
I have a template:
[nondefault]
aws_secret_access_key = <%= scope().call_function('lookup',
['profile::aws::app_environment::secret_key']) %>
aws_access_key_id = <%= scope().call_function('lookup',
['profile::aws::app_environment::access_key']) %>
I deploy the template like so:
file { 'kms_config.yaml':
path => "${homedir}/.aws/credentials",
content => template('puppet/server/aws_creds.erb'),
ensure => file,
mode => '0600',
owner => 'root'
}
which results in:
# cat .aws/credentials
[nondefault]
aws_secret_access_key = Sensitive [value redacted]
aws_access_key_id = Sensitive [value redacted]
My question is, how do I get the actual value, instead of Sensitive [value redacted]
, in the file?
which results in:
# cat .aws/credentials [nondefault] aws_secret_access_key = Sensitive [value redacted] aws_access_key_id = Sensitive [value redacted]
Presumably, this is because $profile::aws::app_environment::secret_key
and $profile::aws::app_environment::access_key
have data type Sensitive
.
My question is, how do I get the actual value, instead of Sensitive [value redacted], in the file?
I haven't used Sensitive
much, and I suspect that it was not intended to interact with templates in the way you show, but there are at least three possible solutions:
Use Puppet's unwrap
function in your template to extract the underlying values from the Sensitive
objects; OR
Create ordinary (non-parameter*) class variables in profile::aws::app_environment
to store the wanted values as plain strings (you might even have such already). Retrieve the values of those instead of the values of the variables you are now referencing. OR
Change the data types of $profile::aws::app_environment::secret_key
and $profile::aws::app_environment::access_key
to String
. Note well that this has security implications, but those may be moot under the circumstances because it looks like you'll be recording the cleartext values in a file on the target machine's filesystem.
* You don't want to use class parameters for this because that would defeat the purpose of the existing variables being Sensitive
(see option (3)).