Script to retrieve Passbolt passwords for Saltstack Pillars
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Sven Seeberg d28de9a8f0
README: fix development
1 day ago
example Revert "Support local file for passbolt replacement" 6 months ago
src/salt_passbolt Support new Passbolt API 9 months ago
.gitignore Initial commit 2 years ago
LICENSE Initial commit 2 years ago README: fix development 1 day ago Fix Passbolt API URL 2 years ago


This Python module retrieves passwords for Passbolt groups to make them available in Saltstack Pillar.




  1. Clone this repo

  2. Go to directory, run (requires python3-setuptools)

    python3 install
  3. Create an Passbolt account for the Salt master.

  4. Copy the private and public PGP key files to /etc/salt.

  5. Import the private key with

    gpg --import /etc/salt/passbolt_private.asc
  6. Create a /etc/salt/passbolt.ini file with the following content:

    SERVER =
    #SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
    USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
    USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
  7. Change file permissions:

    chown salt /etc/salt/passbolt*
    chmod 600 /etc/salt/passbolt*
  8. Create Pillar sls files for the different Salt minions. Use the example below as content for the sls files and replace the group UUID. Hint: you can find the group UUID in the URL of the Passbolt admin interface when editing a group.

    def run():
        from salt_passbolt import fetch_passbolt_passwords
        return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")

    You can also look into the example directory.

  9. In state, reference secrets with their UUID. See the example/salt/important_secrets/files/secret.conf. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.

    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}

YAML Replacement Structure

If the Passbolt server is not available, for example during local development, a file with the following format can replace the Python code mentioned in step 8:

  3ec2a739-8e51-4c67-89fb-4bbfe9147e17: MY_SECRET