adenot / hiera-eyaml-kms Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
When trying to encrypt a string > 4096 chars long the engine returns the error :
[hiera-eyaml-core] 1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096
The restriction is likely from AWS KMS
"You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information. "
I can manually encrypt strings with eyaml using KMS as a backend, but when puppet runs, it fails with an error.
Here is an example of a working, manual encryption:
[root@redacted]$ eyaml encrypt -n kms -l "manually encrypted" -s "workplz"
[hiera-eyaml-core] Loaded config from /etc/puppetlabs/code/eyaml/config.yaml
manually encrypted: ENC[KMS,AQICAHhkrRxMYwTweduztMFVGJvPNtMGRqUe520ES6xNCH8eMQFNGhsQ40x5a+c/tuq8WtIBAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMVMs3JBFy+ahr7NoeAgEQgCKx726lcmxigLcaOGpCFGxY2odhV0C02plQjEDErtEAbvff]
OR
manually encrypted: >
ENC[KMS,AQICAHhkrRxMYwTweduztMFVGJvPNtMGRqUe520ES6xNCH8eMQFNGhsQ40x5
a+c/tuq8WtIBAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEH
ATAeBglghkgBZQMEAS4wEQQMVMs3JBFy+ahr7NoeAgEQgCKx726lcmxigLca
OGpCFGxY2odhV0C02plQjEDErtEAbvff]
However, when I try to run Puppet against that same compile master, it throws an error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, unable to sign request without credentials set at </path/to/manifest> on node <node_name>
Here are the relevant contents of my hiera.yaml file:
# hiera.yaml Managed by Puppet
version: 5
defaults:
datadir: ../code/hiera/%{::my_hiera_repo}
data_hash: yaml_data
hierarchy:
- name: "environment/hostgroup"
path: "environments/%{my_env}/%{my_hostgroup}.eyaml"
lookup_key: eyaml_lookup_key
options:
kms_aws_region: 'us-west-2'
kms_key_id: 'alias/hiera-eyaml-key'
kms_aws_profile: 'DevOps'
And here is the content of my $EYAML_CONFIG file /etc/puppetlabs/code/hiera.yaml
:
---
kms_key_id: 'alias/hiera-eyaml-key'
kms_aws_region: 'us-west-2'
kms_aws_profile: 'DevOps'
This is the section of the IAM policy that enables my hiera-eyaml
IAM user to encrypt, decrypt, etc.:
{
"Sid" : "Allow use of the key",
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "arn:aws:iam::<redacted>:role/DevOpsFullAccess", "arn:aws:iam::<redacted>:user/hiera-eyaml" ]
},
"Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ],
"Resource" : "*"
}
I have the AWS credentials set in ~/.aws/credentials
for the hiera-eyaml
user and that key corresponds to a user that has permissions to encrypt and decrypt using the hiera-eyaml-kms key I created in AWS.
I have tried adding the $AWS_ACCESS_KEY_ID
and $AWS_SECRET_KEY
environment variables to /etc/profile.d
so that they are available to puppet, but this does not work either. I noticed that issue #2 was similar, but the solution was not clear.
Please help, and let me know what else I can provide.
Dear,
I have AWS role with MFA which is responsible for KMS encrypt. I am assuming the role in command and able to encrypt with aws kms encrypt
command. But when I am using eyaml encrypt
I've got the error:
[hiera-eyaml-core] MultiFactorAuthentication failed, must provide both MFA serial number and one time pass code.
$ eyaml --version
Welcome to eyaml 3.2.0
Usage:
eyaml subcommand [global-opts] [subcommand-opts]
Available subcommands:
encrypt: encrypt some data
createkeys: create a set of keys with which to encrypt/decrypt eyaml data
decrypt: decrypt some data
version: show version information
recrypt: recrypt an eyaml file
edit: edit an eyaml file
For more help on an individual command, use --help on that command
Installed Plugins:
kms
Please help, how to fix this?
added-kms-aws-profile-option.patch.txt
Patch to add the option to change the AWS profile in the command - handy when working with multiple accounts.
Hi,
I am trying to use KMS with Hiera 5 but getting following error :
"Error: Evaluation Error: Error while evaluating a Function Call, The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
But when I used eyaml cli for encryption ,then it's working fine for the same AWS IAM user. So I think, it's not the AWS permission. May be I am missing some configuration in hiera yaml file
Following is my hiera.yaml :
version: 5
defaults:
datadir: data
hierarchy:
-
lookup_key: eyaml_lookup_key
name: "Secret data: per-node, per-datacenter, common"
options:
encrypt-method: KMS
kms_key_id: KeyID
kms_aws_region: aws region
paths:
- "nodes/%{trusted.certname}.yaml"
- "%{::environment}.yaml"
- "os/%{::osfamily}.yaml"
Thanks
Huge Thanks for this great utility! It plays very nicely with security compliance for a lot of folks.
Something I've been trying to get working, but with no luck, is running it under Puppet server (4.10 open source) behind a proxy.
I can use it standalone successfully on the cmd while exporting the http_proxy env var (funnily exporting only https_proxy doesn't work?).
However under the puppetserver/hiera process the proxy settings aren't getting picked up and I'm not sure where to go to configure it.
The follow appears in the puppetserver.log during a puppet agent run that accesses the encrypted hiera key:
2018-07-28 02:52:21,093 ERROR [qtp1808804082-69] [puppetserver] Puppet Server Error: Evaluation Error: Error while evaluating a Function Call, execution expired at /etc/puppetlabs/code/environments/master/modules/profile/manifests/splunk/core.pp:15:3 on node i-0a43659759f6d15cd.company.local
org/jruby/ext/socket/RubyTCPSocket.java:111:in 'initialize'
org/jruby/RubyIO.java:1197:in 'open'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:763:in 'connect'
org/jruby/ext/timeout/Timeout.java:115:in 'timeout'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:763:in 'connect'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:756:in 'do_start'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:751:in 'start'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/connection_pool.rb:297:in 'start_session'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/connection_pool.rb:96:in 'session_for'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/handler.rb:121:in 'session'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/handler.rb:73:in 'transmit'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/handler.rb:47:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/content_length.rb:12:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/json/error_handler.rb:8:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/signature_v4.rb:66:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:138:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:169:in 'retry_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:152:in 'retry_if_possible'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:140:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:169:in 'retry_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:152:in 'retry_if_possible'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:140:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:169:in 'retry_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:152:in 'retry_if_possible'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:140:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/json/handler.rb:11:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/user_agent.rb:13:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/endpoint.rb:45:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/param_validator.rb:24:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/raise_response_errors.rb:14:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/param_converter.rb:24:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/response_paging.rb:10:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/response_target.rb:23:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/request.rb:70:in 'send_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-kms-1.6.0/lib/aws-sdk-kms/client.rb:734:in 'decrypt'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-kms-0.2/lib/hiera/backend/eyaml/encryptors/kms.rb:57:in 'decrypt'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:15:in 'encrypted_value'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:80:in 'create_enc_token'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:100:in 'create_token'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:90:in 'create_token'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:71:in 'parse_scanner'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:36:in 'parse'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/../../../puppet/functions/eyaml_lookup_key.rb:81:in 'decrypt'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/../../../puppet/functions/eyaml_lookup_key.rb:67:in 'decrypt_value'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/../../../puppet/functions/eyaml_lookup_key.rb:42:in 'eyaml_lookup_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatch.rb:60:in 'invoke'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:43:in 'dispatch'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:42:in 'dispatch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:46:in 'call'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:45:in 'call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:53:in 'lookup_key'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:50:in 'lookup_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:31:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:30:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:20:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:128:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:126:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:125:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:19:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:18:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:77:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:56:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:128:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:126:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:125:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:55:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:48:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/global_data_provider.rb:39:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_provider.rb:41:in 'key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:80:in 'check'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_provider.rb:41:in 'key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:76:in 'lookup_global'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:272:in 'do_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:62:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:62:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:61:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:65:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:50:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:76:in 'search_and_merge'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:31:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:31:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:29:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:81:in 'interpolate_method'
org/jruby/RubyProc.java:281:in 'call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:59:in 'interpolate_string'
org/jruby/RubyString.java:3064:in 'gsub'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:48:in 'interpolate_string'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:47:in 'interpolate_string'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:19:in 'interpolate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:65:in 'data_value'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:51:in 'lookup_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:41:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:39:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:28:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:128:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'
From monitoring network calls, I can see that it is trying to hit the API's public IP directly.
I've tried the following:
Note that I am adding http & https settings in each of the above cases, and noproxy (for IAM instance profile creds) for the last 2 cases.
But none are working. Anyone get this working behind a proxy and can share any advice would be greatly appreciated.
Thanks again.
hiera-eyaml-kms
on RubyGems hasn't been updated since August 2015. Is there any chance of publishing a new version of this gem to RubyGems?
Hi Team,
We use AWS KMS(Python) to encrypt the password and this library to decrypt the password.
When we try to decrypt the password, one Special character (%) is missing the password.
As shown in the below example: could you please check
Actual password = abc7Kq3&o&uz%%fI&2xyz
Decrypted password = abc7Kq3&o&uz%fI&2xyz
We use Python to encrypt and Decrypt, which is working fine:
Here are the two python functions to encrypt and decrypt.
def encrypt(self, key_alias, value):
kms_client = self.__kms_client()
response = kms_client.encrypt(
KeyId=key_alias,
Plaintext=str.encode(value),
)
return base64.b64encode(response['CiphertextBlob']).decode('utf-8')
def decrypt(self, encrypted_key: str) -> str:
kms_client = self.__kms_client()
base64_encrypted_key = base64.b64decode(encrypted_key)
decrypted_value: str = kms_client.decrypt(CiphertextBlob=base64_encrypted_key).get('Plaintext').decode('utf-8')
return decrypted_value
Regards
Abdul Mateen
Error: Evaluation Error: Error while evaluating a Function Call, missing region; use :region option or export region name to ENV['AWS_REGION']
I have kms_aws_region: 'us-west-2'
in /etc/eyaml/config.yaml and it works just fine. I've also tried adding both "region" and "aws_region" to the default hiera.yaml under the options field. The eyaml
commandline tool works without error, only puppetserver fails.
I also updated the kms.rb file on disk with the most recent github files to no change.
How do I provide credentials to decrypt a message?
When I encrypt, I can provide them on the command line:
AWS_ACCESS_KEY_ID=REDACTED AWS_SECRET_ACCESS_KEY=REDACTED /opt/puppetlabs/puppet/bin/eyaml encrypt -l 'message' -s 'hello there'
[hiera-eyaml-core] Loaded config from /etc/eyaml/config.yaml
message: ENC[KMS,AQECAHj3yIvGBIAsLWZnpwx/lseeWRWW1gf52/S4+h2vKOig6wAAAGkwZwYJKoZIhvcNAQcGoFowWAIBADBTBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDDzD+gXEbccCezPnCgIBEIAmpbU8o4fDPxUCOQ/avY+uwoH+zLSsLh2bqUnvf3uImw8OxRhTKWY=]
OR
message: >
ENC[KMS,AQECAHj3yIvGBIAsLWZnpwx/lseeWRWW1gf52/S4+h2vKOig6wAAAGkwZwYJ
KoZIhvcNAQcGoFowWAIBADBTBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEE
DDzD+gXEbccCezPnCgIBEIAmpbU8o4fDPxUCOQ/avY+uwoH+zLSsLh2bqUnv
f3uImw8OxRhTKWY=]
But this doesn't work (nor is practical) for agent runs.
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, unable to sign request without credentials set at /etc/puppetlabs/code/environments/production/site/profile/manifests/eyaml_notify.pp:2:20 on node pe-201621-master.puppetdebug.vlan
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
class profile::eyaml_notify {
$eyaml_message = hiera('encrypted_message', 'Eyaml not setup yet')
notify{$eyaml_message:}
}
---
encrypt_method: 'KMS'
kms_key_id: REDACTED
kms_aws_region: 'eu-west-1'
# managed by puppet
---
:backends:
- yaml
- eyaml
:logger: console
:hierarchy:
- common
- eyaml_common
:eyaml:
:datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata
:encrypt_method: 'KMS'
:kms_key_id: REDACTED
:kms_aws_region: 'eu-west-1'
:yaml:
:datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata
With the latest merge of #14 is it possible to get a 0.3 release out to rubygems.org?
Thanks
Installing on Windows Server 2012R2 for a masterless Puppet setup. Puppet v 3.8.6
Hiera, Eyaml-Hiera are working as expected.
Getting the error:
puppet : WARNING: jmespath gem requires json gem >= 1.8.1; json 1.7.7 already loaded
Trying to install the 1.8.3 json gem gets:
Fetching: json-1.8.3.gem (100%)
ERROR: Error installing json:
The 'json' native gem requires installed build tools.Please update your PATH to include build tools or download the DevKit
from 'http://rubyinstaller.org/downloads' and follow the instructions
at 'http://github.com/oneclick/rubyinstaller/wiki/Development-Kit'
The Windows Puppet agent only has the 1.7.7 json gem.
I'm new to Ruby & Gems, and trying to install the Ruby DevKit/Build Tools. I know this is Windows but any other ideas for a workaround?
Works great on my 'Nix systems by the way.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.