Script to retrieve Passbolt passwords for Saltstack Pillars
Go to file
Sven Seeberg d9827cff0a
Adjust production deployment procedure
2023-12-18 17:38:42 +01:00
.github/workflows Add PyPi publishing action 2023-12-18 17:10:32 +01:00
example Update README, example 2022-04-16 19:02:58 +02:00
src/salt_passbolt Assert that secrets are not empty 2023-01-14 12:00:57 +01:00
.gitignore Initial commit 2020-02-01 18:50:15 +01:00
LICENSE Update README, example 2022-04-16 19:02:58 +02:00
README.md Adjust production deployment procedure 2023-12-18 17:38:42 +01:00
pyproject.toml Adjust production deployment procedure 2023-12-18 17:38:42 +01:00
setup.py Add pyproject.toml 2023-12-18 16:44:16 +01:00

README.md

About

This Python module allows you to manage secrets for Saltstack via Passbolt. This makes managing secrets easier than manually encrypting them and storing the encrpyted password in the Saltstack repository.

Additionally, it is possible to only have one source of truth for passwords for users and IT infrastructure while being able to manage access for each password. That means that all users can contribute to the Saltack configuration and manage (view/add/change) secrets within their responsibility.

License

MIT

Production Setup

  1. Go to your Salt master and install the module with salt-pip

    salt-pip install passbolt-salt
    

    This will install this module and its dependencies.

  2. Create a Passbolt account for the Salt master.

  3. Copy the private and public PGP key files to /etc/salt.

  4. Import the new Passbolt private key on the Salt master:

    gpg --import /etc/salt/passbolt_private.asc
    
  5. Create a /etc/salt/passbolt.ini file with the following content:

    [PASSBOLT]
    SERVER = https://passbolt.example.com
    #SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
    USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]
    USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
    USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
    PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]
    
  6. Change file permissions:

    chown salt /etc/salt/passbolt*
    chmod 600 /etc/salt/passbolt*
    

Use Passwords of Passbolt Group in Pillar

Look into the example directory to see how the integration is done.

  1. Create Pillar sls files for the different Salt minions, insert the content below and replace the group UUID.
    #!py
    def run():
        from salt_passbolt import fetch_passbolt_passwords
        return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
    

Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.

  1. In a state, reference secrets with their UUID. See the example/salt/important_secrets/files/secret.conf.
    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}
    

Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.

Performance

All passwords are decrypted with a single process (gpg-agent). If many minions need to access their Pillar at the same time, the gpg-agent becomes a bottleneck. To avoid this bottleneck, the Pillar cache can be enabled for the Salt master with pillar_cache: True. The following crontab entry updates the Pillar cache twice a day:

0 */12 * * * rm -rf /var/cache/salt/master/pillar_cache/* && salt '*' -b1 pillar.items

YAML Replacement Structure

If the Passbolt server is not available, for example during local development, a file with the following format can replace the Python code mentioned in step 8:

passbolt:
  3ec2a739-8e51-4c67-89fb-4bbfe9147e17: MY_SECRET