Is there a way to encrypt or hide the acl_api_token value?

[jhur7]

I have checked in my acl_api_token into various places in my Hiera yaml files. I'd like to be able to either look up my token or obfuscate/encrypt the acl_api_token so the value doesn't show up in my source control repository. Is there a way to do this or am I missing something obvious in the module? Here's a snippet of one of my Hiera files with the acl_api_token redacted.

Thank You.

consul::policies:
  'Consul_Node_Policy':
    description: "Consul Node policy, generated by puppet"
    rules:
      - resource: agent_prefix
        segment: ""
        disposition: "write"
      - resource: node_prefix
        segment: ""
        disposition: "write"
      - resource: service_prefix
        segment: ""
        disposition: "read"
      - resource: session_prefix
        segment: ""
        disposition: "read"
    acl_api_token: “REDACTED”

[joshberry911]

You could use EYAML, and then you can encrypt anything in your configuration. You install the hiera-eyaml package (on a Debian based system) and then adjust your puppetmaster configuration. More documentation: https://github.com/voxpupuli/hiera-eyaml

[jhur7]

Thank you @joshberry911 . I'll look into this as an option. I would prefer not to use eyaml as I have already implemented Hiera/Vault. Is there a possibility of referring back to a file as opposed to the token API string? Are there any other options?

[xavvo]

Hi @jhur7, if you already employ vault, did you consider the consul secret engine?