Script to retrieve Passbolt passwords for Saltstack Pillars
Go to file
Sven Seeberg 967a38869e
Support new Passbolt API
* Some password objects are now JSON objects
  that need to be decoded.
2021-03-14 13:02:11 +01:00
example Add source 2020-02-01 19:55:31 +01:00
src/salt_passbolt Support new Passbolt API 2021-03-14 13:02:11 +01:00
.gitignore Initial commit 2020-02-01 18:50:15 +01:00
LICENSE Initial commit 2020-02-01 18:50:15 +01:00
README.md Fix readme numbering 2020-03-24 17:49:10 +01:00
setup.py Fix Passbolt API URL 2020-02-01 22:26:26 +01:00

README.md

About

This Python module retrieves passwords for Passbolt groups to make them available in Saltstack Pillar.

License

MIT

Setup

  1. Clone this repo

  2. Go to directory, run (requires python3-setuptools)

    python3 setup.py install
    
  3. Create an Passbolt account for the Salt master.

  4. Copy the private and public PGP key files to /etc/salt.

  5. Import the private key with

    gpg --import /etc/salt/passbolt_private.asc
    
  6. Create a /etc/salt/passbolt.ini file with the following content:

    [PASSBOLT]
    SERVER = https://passbolt.example.com
    #SERVER_PUBLIC_KEY_FILE = <optional: server_public.asc>
    USER_FINGERPRINT = [REPLACE WITH GPG KEY FINGERPRINT]
    USER_PUBLIC_KEY_FILE = /etc/salt/passbolt_public.asc
    USER_PRIVATE_KEY_FILE = /etc/salt/passbolt_private.asc
    PASSPHRASE = [REPLACE WITH PASSBOLT USER PASSWORD]
    
  7. Change file permissions:

    chown salt /etc/salt/passbolt*
    chmod 600 /etc/salt/passbolt*
    
  8. Create Pillar sls files where required with the content, replace the group UUID. Look into the example directory. Hint: you can find the Group UUID with the network tool of the browser by clicking on a group.

    #!py
    def run():
        from salt_passbolt import fetch_passbolt_passwords
        return fetch_passbolt_passwords("27b9abd4-af9b-4c9e-9af1-cf8cb963680c")
    
  9. In state, reference secrets with their UUID. See the example/salt/important_secrets/files/secret.conf. Hint: you can find the secret UUID in the URL of your browser by clicking on the checkbox of a secret.

    password={{ pillar['passbolt']['3ec2a739-8e51-4c67-89fb-4bbfe9147e17'] }}