adenot / hiera-eyaml-kms Goto Github PK

View Code? Open in Web Editor NEW

19.0 19.0 15.0 7 KB

License: MIT License

Ruby 84.02% Shell 15.98%

hiera-eyaml-kms's People

Contributors

Stargazers

Watchers

Forkers

aheumaier podon flosell 3hgroup rbramwell keirans zordrak schattingh aravindk7 guikolt myoung34 mateen001 nateeckardt

hiera-eyaml-kms's Issues

Cannot encrypt strings larger than 4096 chars

When trying to encrypt a string > 4096 chars long the engine returns the error :

[hiera-eyaml-core] 1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096

The restriction is likely from AWS KMS

"You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information. "

Manual Encryption Works with KMS, but Puppet Runs Fail with Credentials Error

Description

I can manually encrypt strings with eyaml using KMS as a backend, but when puppet runs, it fails with an error.

Here is an example of a working, manual encryption:

[root@redacted]$ eyaml encrypt -n kms -l "manually encrypted" -s "workplz"
[hiera-eyaml-core] Loaded config from /etc/puppetlabs/code/eyaml/config.yaml
manually encrypted: ENC[KMS,AQICAHhkrRxMYwTweduztMFVGJvPNtMGRqUe520ES6xNCH8eMQFNGhsQ40x5a+c/tuq8WtIBAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMVMs3JBFy+ahr7NoeAgEQgCKx726lcmxigLcaOGpCFGxY2odhV0C02plQjEDErtEAbvff]

OR

manually encrypted: >
    ENC[KMS,AQICAHhkrRxMYwTweduztMFVGJvPNtMGRqUe520ES6xNCH8eMQFNGhsQ40x5
    a+c/tuq8WtIBAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEH
    ATAeBglghkgBZQMEAS4wEQQMVMs3JBFy+ahr7NoeAgEQgCKx726lcmxigLca
    OGpCFGxY2odhV0C02plQjEDErtEAbvff]

However, when I try to run Puppet against that same compile master, it throws an error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, unable to sign request without credentials set at </path/to/manifest> on node <node_name>

Relevant Configuration

Here are the relevant contents of my hiera.yaml file:

# hiera.yaml Managed by Puppet
version: 5
defaults:
  datadir: ../code/hiera/%{::my_hiera_repo}
  data_hash: yaml_data
hierarchy:

  - name: "environment/hostgroup"
    path: "environments/%{my_env}/%{my_hostgroup}.eyaml"
    lookup_key: eyaml_lookup_key
    options:
     kms_aws_region: 'us-west-2'
     kms_key_id: 'alias/hiera-eyaml-key'
     kms_aws_profile: 'DevOps'

And here is the content of my $EYAML_CONFIG file /etc/puppetlabs/code/hiera.yaml:

---
kms_key_id: 'alias/hiera-eyaml-key'
kms_aws_region: 'us-west-2'
kms_aws_profile: 'DevOps'

This is the section of the IAM policy that enables my hiera-eyaml IAM user to encrypt, decrypt, etc.:

{
    "Sid" : "Allow use of the key",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : [ "arn:aws:iam::<redacted>:role/DevOpsFullAccess", "arn:aws:iam::<redacted>:user/hiera-eyaml" ]
    },
    "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ],
    "Resource" : "*"
  }

I have the AWS credentials set in ~/.aws/credentials for the hiera-eyaml user and that key corresponds to a user that has permissions to encrypt and decrypt using the hiera-eyaml-kms key I created in AWS.

I have tried adding the $AWS_ACCESS_KEY_ID and $AWS_SECRET_KEY environment variables to /etc/profile.d so that they are available to puppet, but this does not work either. I noticed that issue #2 was similar, but the solution was not clear.

Please help, and let me know what else I can provide.

MultiFactorAuthentication failed, must provide both MFA serial number and one time pass code

Dear,
I have AWS role with MFA which is responsible for KMS encrypt. I am assuming the role in command and able to encrypt with aws kms encrypt command. But when I am using eyaml encrypt I've got the error:
[hiera-eyaml-core] MultiFactorAuthentication failed, must provide both MFA serial number and one time pass code.

$ eyaml --version
Welcome to eyaml 3.2.0

Usage:
eyaml subcommand [global-opts] [subcommand-opts]

Available subcommands:
        encrypt: encrypt some data
     createkeys: create a set of keys with which to encrypt/decrypt eyaml data
        decrypt: decrypt some data
        version: show version information
        recrypt: recrypt an eyaml file
           edit: edit an eyaml file

For more help on an individual command, use --help on that command

Installed Plugins:
	kms

Please help, how to fix this?

AWS Profile addition

added-kms-aws-profile-option.patch.txt

Patch to add the option to change the AWS profile in the command - handy when working with multiple accounts.

Error: Evaluation Error: Error while evaluating a Function Call, The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

Hi,

I am trying to use KMS with Hiera 5 but getting following error :

"Error: Evaluation Error: Error while evaluating a Function Call, The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."

But when I used eyaml cli for encryption ,then it's working fine for the same AWS IAM user. So I think, it's not the AWS permission. May be I am missing some configuration in hiera yaml file
Following is my hiera.yaml :

version: 5
defaults:
  datadir: data
hierarchy:
  -
    lookup_key: eyaml_lookup_key
    name: "Secret data: per-node, per-datacenter, common"
    options:
      encrypt-method: KMS
      kms_key_id: KeyID
      kms_aws_region: aws region
    paths:
      - "nodes/%{trusted.certname}.yaml"
      - "%{::environment}.yaml"
      - "os/%{::osfamily}.yaml"

Thanks

not working with puppet server behind proxy

Huge Thanks for this great utility! It plays very nicely with security compliance for a lot of folks.

Something I've been trying to get working, but with no luck, is running it under Puppet server (4.10 open source) behind a proxy.
I can use it standalone successfully on the cmd while exporting the http_proxy env var (funnily exporting only https_proxy doesn't work?).
However under the puppetserver/hiera process the proxy settings aren't getting picked up and I'm not sure where to go to configure it.

The follow appears in the puppetserver.log during a puppet agent run that accesses the encrypted hiera key:

2018-07-28 02:52:21,093 ERROR [qtp1808804082-69] [puppetserver] Puppet Server Error: Evaluation Error: Error while evaluating a Function Call, execution expired at /etc/puppetlabs/code/environments/master/modules/profile/manifests/splunk/core.pp:15:3 on node i-0a43659759f6d15cd.company.local
org/jruby/ext/socket/RubyTCPSocket.java:111:in 'initialize'
org/jruby/RubyIO.java:1197:in 'open'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:763:in 'connect'
org/jruby/ext/timeout/Timeout.java:115:in 'timeout'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:763:in 'connect'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:756:in 'do_start'
/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/META-INF/jruby.home/lib/ruby/1.9/net/http.rb:751:in 'start'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/connection_pool.rb:297:in 'start_session'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/connection_pool.rb:96:in 'session_for'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/handler.rb:121:in 'session'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/handler.rb:73:in 'transmit'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/net_http/handler.rb:47:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/content_length.rb:12:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/json/error_handler.rb:8:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/signature_v4.rb:66:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:138:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:169:in 'retry_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:152:in 'retry_if_possible'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:140:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:169:in 'retry_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:152:in 'retry_if_possible'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:140:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:169:in 'retry_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:152:in 'retry_if_possible'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/retry_errors.rb:140:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/json/handler.rb:11:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/user_agent.rb:13:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/endpoint.rb:45:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/param_validator.rb:24:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/raise_response_errors.rb:14:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/param_converter.rb:24:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/aws-sdk-core/plugins/response_paging.rb:10:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/plugins/response_target.rb:23:in 'call'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-core-3.22.1/lib/seahorse/client/request.rb:70:in 'send_request'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/aws-sdk-kms-1.6.0/lib/aws-sdk-kms/client.rb:734:in 'decrypt'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-kms-0.2/lib/hiera/backend/eyaml/encryptors/kms.rb:57:in 'decrypt'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:15:in 'encrypted_value'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:80:in 'create_enc_token'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:100:in 'create_token'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:90:in 'create_token'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:71:in 'parse_scanner'
/opt/puppetlabs/server/data/puppetserver/jruby-gems/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:36:in 'parse'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/../../../puppet/functions/eyaml_lookup_key.rb:81:in 'decrypt'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/../../../puppet/functions/eyaml_lookup_key.rb:67:in 'decrypt_value'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/loader/../../../puppet/functions/eyaml_lookup_key.rb:42:in 'eyaml_lookup_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatch.rb:60:in 'invoke'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:43:in 'dispatch'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/dispatcher.rb:42:in 'dispatch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:46:in 'call'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/functions/function.rb:45:in 'call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:53:in 'lookup_key'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:50:in 'lookup_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:31:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:30:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:20:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:128:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:126:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:125:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:19:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:18:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_key_function_provider.rb:77:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:56:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:128:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:126:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:125:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:55:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/configured_data_provider.rb:48:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/global_data_provider.rb:39:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_provider.rb:41:in 'key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:80:in 'check'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_provider.rb:41:in 'key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:76:in 'lookup_global'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:272:in 'do_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:62:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:62:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:61:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:65:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/lookup_adapter.rb:50:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:76:in 'search_and_merge'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:31:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:31:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup.rb:29:in 'lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:81:in 'interpolate_method'
org/jruby/RubyProc.java:281:in 'call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:59:in 'interpolate_string'
org/jruby/RubyString.java:3064:in 'gsub'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:48:in 'interpolate_string'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:47:in 'interpolate_string'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/interpolation.rb:19:in 'interpolate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:65:in 'data_value'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:51:in 'lookup_key'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:41:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/invocation.rb:123:in 'with'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:39:in 'invoke_with_location'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/lookup/data_hash_function_provider.rb:28:in 'unchecked_key_lookup'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:129:in 'lookup'
org/jruby/RubyKernel.java:1242:in 'catch'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/pops/merge_strategy.rb:128:in 'lookup'
org/jruby/RubyArray.java:1613:in 'each'
org/jruby/RubyEnumerable.java:852:in 'inject'

From monitoring network calls, I can see that it is trying to hit the API's public IP directly.

I've tried the following:

updating puppetlabs_aws_configuration_ini
updating proxy settings in puppet.conf,
exporting the env vars /etc/sysconfig/puppet
adding -Dhttp.proxy* flags to the JVM startup command in /etc/sysconfig/puppetserver

Note that I am adding http & https settings in each of the above cases, and noproxy (for IAM instance profile creds) for the last 2 cases.
But none are working. Anyone get this working behind a proxy and can share any advice would be greatly appreciated.

Thanks again.

Release a new version?

hiera-eyaml-kms on RubyGems hasn't been updated since August 2015. Is there any chance of publishing a new version of this gem to RubyGems?

Special characters %% decrypting to only one %

Hi Team,

We use AWS KMS(Python) to encrypt the password and this library to decrypt the password.

When we try to decrypt the password, one Special character (%) is missing the password.

As shown in the below example: could you please check

Actual password = abc7Kq3&o&uz%%fI&2xyz
Decrypted password = abc7Kq3&o&uz%fI&2xyz

We use Python to encrypt and Decrypt, which is working fine:
Here are the two python functions to encrypt and decrypt.

def encrypt(self, key_alias, value):
kms_client = self.__kms_client()

response = kms_client.encrypt(
    KeyId=key_alias,
    Plaintext=str.encode(value),
)
return base64.b64encode(response['CiphertextBlob']).decode('utf-8')

def decrypt(self, encrypted_key: str) -> str:
kms_client = self.__kms_client()
base64_encrypted_key = base64.b64decode(encrypted_key)
decrypted_value: str = kms_client.decrypt(CiphertextBlob=base64_encrypted_key).get('Plaintext').decode('utf-8')
return decrypted_value

Regards
Abdul Mateen

Error when trying to use KMS encryption method

Error: Evaluation Error: Error while evaluating a Function Call, missing region; use :region option or export region name to ENV['AWS_REGION']

I have kms_aws_region: 'us-west-2' in /etc/eyaml/config.yaml and it works just fine. I've also tried adding both "region" and "aws_region" to the default hiera.yaml under the options field. The eyaml commandline tool works without error, only puppetserver fails.

I also updated the kms.rb file on disk with the most recent github files to no change.

Error when trying to decrypt message

How do I provide credentials to decrypt a message?

When I encrypt, I can provide them on the command line:

AWS_ACCESS_KEY_ID=REDACTED AWS_SECRET_ACCESS_KEY=REDACTED /opt/puppetlabs/puppet/bin/eyaml encrypt -l 'message' -s 'hello there'
[hiera-eyaml-core] Loaded config from /etc/eyaml/config.yaml
message: ENC[KMS,AQECAHj3yIvGBIAsLWZnpwx/lseeWRWW1gf52/S4+h2vKOig6wAAAGkwZwYJKoZIhvcNAQcGoFowWAIBADBTBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDDzD+gXEbccCezPnCgIBEIAmpbU8o4fDPxUCOQ/avY+uwoH+zLSsLh2bqUnvf3uImw8OxRhTKWY=]

OR

message: >
    ENC[KMS,AQECAHj3yIvGBIAsLWZnpwx/lseeWRWW1gf52/S4+h2vKOig6wAAAGkwZwYJ
    KoZIhvcNAQcGoFowWAIBADBTBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEE
    DDzD+gXEbccCezPnCgIBEIAmpbU8o4fDPxUCOQ/avY+uwoH+zLSsLh2bqUnv
    f3uImw8OxRhTKWY=]

But this doesn't work (nor is practical) for agent runs.

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, unable to sign request without credentials set at /etc/puppetlabs/code/environments/production/site/profile/manifests/eyaml_notify.pp:2:20 on node pe-201621-master.puppetdebug.vlan
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

class profile::eyaml_notify {
  $eyaml_message = hiera('encrypted_message', 'Eyaml not setup yet')

  notify{$eyaml_message:}
}


---
encrypt_method: 'KMS'
kms_key_id: REDACTED
kms_aws_region: 'eu-west-1'

# managed by puppet

---
:backends:
  - yaml
  - eyaml

:logger: console

:hierarchy:
  - common
  - eyaml_common

:eyaml:
  :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata
  :encrypt_method: 'KMS'
  :kms_key_id: REDACTED
  :kms_aws_region: 'eu-west-1'

:yaml:
  :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata

New gem release

With the latest merge of #14 is it possible to get a 0.3 release out to rubygems.org?

Thanks

Requires json gem 1.8.1

Installing on Windows Server 2012R2 for a masterless Puppet setup. Puppet v 3.8.6
Hiera, Eyaml-Hiera are working as expected.

Getting the error:

puppet : WARNING: jmespath gem requires json gem >= 1.8.1; json 1.7.7 already loaded

Trying to install the 1.8.3 json gem gets:

Fetching: json-1.8.3.gem (100%)
ERROR: Error installing json:
The 'json' native gem requires installed build tools.

Please update your PATH to include build tools or download the DevKit
from 'http://rubyinstaller.org/downloads' and follow the instructions
at 'http://github.com/oneclick/rubyinstaller/wiki/Development-Kit'

The Windows Puppet agent only has the 1.7.7 json gem.

I'm new to Ruby & Gems, and trying to install the Ruby DevKit/Build Tools. I know this is Windows but any other ideas for a workaround?

Works great on my 'Nix systems by the way.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.