Secrets

Idem secrets management leverages the Vault secrets management system.

Connect to Vault

You can store credentials to connect to Vault in the encrypted credentials.yaml file used for Idem authentication. To connect, the credential profile must include at least the address and token.

vault:
  idem_vault:
    address: https://vault.example.com:8200/
    token: alphanumeric_token
    version: v2

Reference an existing secret

To include a secret value in an Idem SLS file without exposing the value, use the following example as a guideline.

Add code similar to the following to your SLS file. Vault versions v1 and v2 (the default) are supported. The example shows how to access the secret value stored under key name pwd at file path /credential

my-secret:
vault.secrets.kv_v2.secret.search:
  filepath: /credential
  pwd:
  test.succeed_with_comment:
  comment: ${vault.secrets.kv_v2.secret:my-secret:data:pwd}

By making an argument binding to my-secret, the secret value can then be used within a resource in the SLS file.

Secret values can also be part of the idem state command --params option as shown in the following example.

idem state --param-sources "vault://vault_test@vault.example.com:8200" "file://path-to-file/params.sls" --params /path-to-token/token /path-to-file/my_state.sls

Where --param-sources is a list that can take different sources of format protocol://account_profile@url:port

Create a new secret

To create a new secret, add code similar to the following to your SLS file.

new-secret:
vault.secrets.kv_v2.secret.present:
  path: /idem/test
  data: {"key1":"value1", "key2":"value2"}