Pass Renderer for Salt

pass is an encrypted on-disk password store.

New in version 2017.7.0.


Note: <user> needs to be replaced with the user salt-master will be running as.

Have private gpg loaded into user's gpg keyring

    - name: gpg --import <location_of_private_gpg_key>
    - unless: gpg --list-keys '<gpg_name>'

Said private key's public key should have been used when encrypting pass entries that are of interest for pillar data.

Fetch and keep local pass git repo up-to-date

    - force_reset: True
    - name: <git_repo>
    - target: /<user>/.password-store
    - identity: <location_of_ssh_private_key>
    - require:
      - cmd: load_private_gpg_key

Install pass binary


Salt master configuration options

# If the prefix is *not* set (default behavior), all template variables are
# considered for fetching secrets from Pass. Those that cannot be resolved
# to a secret are passed through.
# If the prefix is set, only the template variables with matching prefix are
# considered for fetching the secrets, other variables are passed through.
# For ease of use it is recommended to set the following options as well:
#       renderer: 'jinja|yaml|pass'
#       pass_strict_fetch: true
pass_variable_prefix: 'pass:'

# If set to 'true', error out when unable to fetch a secret for a template variable.
pass_strict_fetch: true

# Set GNUPGHOME env for Pass.
# Defaults to: ~/.gnupg
pass_gnupghome: <path>

# Set PASSWORD_STORE_DIR env for Pass.
# Defaults to: ~/.password-store
pass_dir: <path>
salt.renderers.pass.render(pass_info, saltenv='base', sls='', argline='', **kwargs)

Fetch secret from pass based on pass_path