Script to retrieve Passbolt passwords for Saltstack Pillars
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
Sven Seeberg d28de9a8f0
README: fix development
1 day ago
example Revert "Support local file for passbolt replacement" 6 months ago
src/salt_passbolt Support new Passbolt API 9 months ago
.gitignore Initial commit 2 years ago
LICENSE Initial commit 2 years ago
README.md README: fix development 1 day ago
setup.py Fix Passbolt API URL 2 years ago

README.md

About

This Python module retrieves passwords for Passbolt groups to make them available in Saltstack Pillar.

License

MIT

Setup

  1. Clone this repo

  2. Go to directory, run (requires python3-setuptools)

    python3 setup.py install
    
  3. Create an Passbolt account for the Salt master.

  4. Copy the private and public PGP key files to /etc/salt.

  5. Import the private key with

    gpg --import /etc/salt/passbolt_private.asc
    
  6. Create a /etc/salt/passbolt.ini file with the following content:

    [PASSBOLT]
    SERVER = https://passbolt.example.com
    #SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
    USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]
    USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
    USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
    PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]
    
  7. Change file permissions:

    chown salt /etc/salt/passbolt*
    chmod 600 /etc/salt/passbolt*
    
  8. Create Pillar sls files for the different Salt minions. Use the example below as content for the sls files and replace the group UUID. Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.

    #!py
    def run():
        from salt_passbolt import fetch_passbolt_passwords
        return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
    

    You can also look into the example directory.

  9. In state, reference secrets with their UUID. See the example/salt/important_secrets/files/secret.conf. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.

    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}
    

YAML Replacement Structure

If the Passbolt server is not available, for example during local development, a file with the following format can replace the Python code mentioned in step 8:

passbolt:
  3ec2a739-8e51-4c67-89fb-4bbfe9147e17: MY_SECRET