salt.renderers.pass

Pass Renderer for Salt

pass is an encrypted on-disk password store.

New in version 2017.7.0.

Setup

Note: <user> needs to be replaced with the user salt-master will be running as.

Have private gpg loaded into user's gpg keyring

load_private_gpg_key:
  cmd.run:
    - name: gpg --import <location_of_private_gpg_key>
    - unless: gpg --list-keys '<gpg_name>'

Said private key's public key should have been used when encrypting pass entries that are of interest for pillar data.

Fetch and keep local pass git repo up-to-date

update_pass:
  git.latest:
    - force_reset: True
    - name: <git_repo>
    - target: /<user>/.password-store
    - identity: <location_of_ssh_private_key>
    - require:
      - cmd: load_private_gpg_key

Install pass binary

pass:
  pkg.installed

Salt master configuration options

# If the prefix is *not* set (default behavior), all template variables are
# considered for fetching secrets from Pass. Those that cannot be resolved
# to a secret are passed through.
#
# If the prefix is set, only the template variables with matching prefix are
# considered for fetching the secrets, other variables are passed through.
#
# For ease of use it is recommended to set the following options as well:
#       renderer: 'jinja|yaml|pass'
#       pass_strict_fetch: true
#
pass_variable_prefix: 'pass:'

# If set to 'true', error out when unable to fetch a secret for a template variable.
pass_strict_fetch: true

# Set GNUPGHOME env for Pass.
# Defaults to: ~/.gnupg
pass_gnupghome: <path>

# Set PASSWORD_STORE_DIR env for Pass.
# Defaults to: ~/.password-store
pass_dir: <path>
salt.renderers.pass.render(pass_info, saltenv='base', sls='', argline='', **kwargs)

Fetch secret from pass based on pass_path