{"id":15014031,"url":"https://github.com/cyberark/conjur-puppet","last_synced_at":"2025-04-12T06:05:06.117Z","repository":{"id":20903583,"uuid":"24191248","full_name":"cyberark/conjur-puppet","owner":"cyberark","description":"Official Puppet module for CyberArk Conjur","archived":false,"fork":false,"pushed_at":"2025-03-18T17:51:30.000Z","size":796,"stargazers_count":6,"open_issues_count":6,"forks_count":4,"subscribers_count":24,"default_branch":"main","last_synced_at":"2025-04-12T06:03:07.505Z","etag":null,"topics":["configuration-management","conjbot-notify","conjur","conjur-community-team","machine-identity","puppet"],"latest_commit_sha":null,"homepage":"https://forge.puppet.com/cyberark/conjur","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2014-09-18T14:26:03.000Z","updated_at":"2024-06-17T18:39:25.000Z","dependencies_parsed_at":"2024-01-25T00:13:10.799Z","dependency_job_id":"a9075652-0635-47a8-9b0f-e647170315e0","html_url":"https://github.com/cyberark/conjur-puppet","commit_stats":{"total_commits":349,"total_committers":23,"mean_commits":"15.173913043478262","dds":0.6131805157593123,"last_synced_commit":"36873c6fdbbc44bb1a1f711404611bfdc323b861"},"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-puppet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-puppet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-puppet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-puppet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/conjur-puppet/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248525137,"owners_count":21118617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["configuration-management","conjbot-notify","conjur","conjur-community-team","machine-identity","puppet"],"created_at":"2024-09-24T19:45:04.812Z","updated_at":"2025-04-12T06:05:06.080Z","avatar_url":"https://github.com/cyberark.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# conjur\n\n[![Version](https://img.shields.io/puppetforge/v/cyberark/conjur.svg)](https://forge.puppet.com/cyberark/conjur)\n\n#### Table of Contents\n\n- [Description](#description)\n- [Certification Level](#certification-level)\n- [Setup](#setup)\n  * [Setup requirements](#setup-requirements)\n  * [Deprecations](#deprecations)\n    + [Puppet v5](#puppet-v5)\n    + [Conjur Enterprise v4](#conjur-enterprise-v4)\n    + [Use of Host Factory Tokens](#use-of-host-factory-tokens)\n  * [Installation](#installation)\n  * [Using conjur-puppet with Conjur Open Source](#using-conjur-puppet-with-conjur-open-source)\n  * [Conjur module basics](#conjur-module-basics)\n    + [Example usage](#example-usage)\n    + [`Deferred` functions](#deferred-functions)\n    + [`Sensitive` type](#sensitive-type)\n- [Usage](#usage)\n  * [Methods to establish Conjur host identity](#methods-to-establish-conjur-host-identity)\n    + [Conjur host identity with API key](#conjur-host-identity-with-api-key)\n      * [Updating the Puppet manifest](#updating-the-puppet-manifest)\n      * [Using Hiera](#using-hiera)\n      * [Using Conjur identity files (Linux agents only)](#using-conjur-identity-files--linux-agents-only-)\n      * [Using Windows Registry / Windows Credential Manager (Windows agents only)](#using-windows-registry---windows-credential-manager--windows-agents-only-)\n- [Troubleshooting](#troubleshooting)\n- [Reference](#reference)\n- [Limitations](#limitations)\n- [Contributing](#contributing)\n- [Support](#support)\n\n\u003csmall\u003e\u003ci\u003e\u003ca href='http://ecotrust-canada.github.io/markdown-toc/'\u003eTable of contents generated with markdown-toc\u003c/a\u003e\u003c/i\u003e\u003c/small\u003e\n\n## Description\n\nThis is the official Puppet module for [Conjur](https://www.conjur.org), a robust\nidentity and access management platform. This module simplifies the operations involved in\nestablishing a Conjur host identity and allows authorized Puppet nodes to fetch\nsecrets from Conjur.\n\nYou can find our official distributable releases on Puppet Forge under [`cyberark/conjur`](https://forge.puppet.com/cyberark/conjur).\n\n## Certification level\n\n![Certification Level](https://img.shields.io/badge/Certification%20Level-Certified-6C757D?link=https://github.com/cyberark/community/blob/main/Conjur/conventions/certification-levels.md)\n\nThis repo is a **Certified** project. It is officially approved to work with Conjur Open Source\nand Conjur Enterprise as documented. For more detailed information on our certification levels, see\n[our community guidelines](https://github.com/cyberark/community/blob/main/Conjur/conventions/certification-levels.md#community).\n\n## Setup\n\n### Setup requirements\n\nThis module requires that you have:\n- Puppet v6 _or equivalent EE version_\n- Conjur endpoint available to both the Puppet server and the Puppet nodes using this\n  module. Supported versions:\n  - Conjur Open Source v1+\n  - Conjur Enterprise (formerly DAP) v10+\n\n### Deprecations\n\n#### Puppet v5\n\nPuppet v5 is not supported in v3+ of this module. If you are still using this version,\nplease use the [v2](https://github.com/cyberark/conjur-puppet/tree/v2) branch of this\nproject or a release version `\u003c3.0.0`.\n\n#### Conjur Enterprise v4\n\nConjur Enterprise v4 is not supported in v3+ of this module. If you are still using this\nversion, please use the [v2](https://github.com/cyberark/conjur-puppet/tree/v2) branch\nof this project or a release version `\u003c3.0.0`.\n\n#### Use of Host Factory Tokens\n\nEstablishment of identity using host factory tokens directly through this module is no\nlonger supported. Host factory tokens can still be used to create host identities, but\nthese identities need to be established outside of the module itself. If you are still\nusing the creation of identities with host factory tokens via this module, please use\nthe [v2](https://github.com/cyberark/conjur-puppet/tree/v2) branch of this project or\na release version `\u003c3.0.0`.\n\n### Installation\n\nTo install this module, run the following command on the Puppet server:\n```\npuppet module install cyberark-conjur\n```\n\nTo install a specific version of this module (e.g. `v1.2.3`), run the following\ncommand on the Puppet server:\n```\npuppet module install cyberark-conjur --version 1.2.3\n```\n\n### Using conjur-puppet with Conjur Open Source\n\nAre you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we\n**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS\nsuite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).\nConjur maintainers perform additional testing on the suite release versions to ensure\ncompatibility. When possible, upgrade your Conjur version to match the\n[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm);\nwhen using integrations, choose the latest suite release that matches your Conjur version. For any\nquestions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).\n\n### Conjur module basics\n\nThis module provides a `conjur::secret` [`Deferred` function](#deferred-functions)\nthat can be used to retrieve secrets from Conjur. Given a Conjur variable identifier and optional\nidentity parameters, `conjur::secret` uses the node’s Conjur identity to resolve and return\nthe variable’s value as a `Sensitive` variable.\n\nUsing a pre-provisioned identity:\n\n```puppet\n$dbpass = Deferred(conjur::secret, ['production/postgres/password'])\n```\n\nUsing a manifest-provided identity:\n```puppet\n$sslcert = @(\"EOT\")\n-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n|-EOT\n\n$dbpass = Deferred(conjur::secret, ['production/postgres/password', {\n  appliance_url =\u003e \"https://my.conjur.org\",\n  account =\u003e \"myaccount\",\n  authn_login =\u003e \"host/myhost\",\n  authn_api_key =\u003e Sensitive(\"2z9mndg1950gcx1mcrs6w18bwnp028dqkmc34vj8gh2p500ny1qk8n\"),\n  ssl_certificate =\u003e $sslcert\n}])\n```\n\n#### Example usage\n\n```puppet\nnode 'server-123' {\n  $db_password = Deferred(conjur::secret, ['inventory/db-password'])\n\n  # Example of writing a secret to a file\n  file { '/tmp/creds.txt':\n    ensure =\u003e file,\n    mode =\u003e '0600',\n    content =\u003e $db_password,\n  }\n\n  # Example of using a secret in a templated file\n  file { '/tmp/creds.ini':\n    ensure =\u003e file,\n    mode =\u003e '0600',\n    content =\u003e Deferred('inline_epp', [\n      'password=\u003c%= $db_password.unwrap %\u003e',\n      { 'db_password' =\u003e $db_password }\n    ]),\n  }\n}\n```\n\n#### `Deferred` functions\n\nThis module _requires_ the use of Puppet v6+\n[`Deferred` functions](https://puppet.com/docs/puppet/6.17/deferring_functions.html)\nto ensure that the credential retrieval is fully handled on the agent. Failure\nto use `Deferred` around the method will result in an error:\n\n```puppet\n# GOOD: Function `conjur::secret` is wrapped in `Deferred` call\nDeferred(conjur::secret, ['production/postgres/password'])\n```\n\n```puppet\n# BAD: This will not work!\nconjur::secret('production/postgres/password')\n```\n\nSince the resolution of variables is done also on the agent _after_ the catalog is\ncompiled, anything that requires the value of the variable during the compilation\nstep (e.g. template compilation)\n[must also be wrapped in a `Deferred` invocation](https://puppet.com/docs/puppet/6.17/template_with_deferred_values.html).\n\nIt is also important to note that you should make sure that you invoke the\n`conjur::secret` function using the proper `Deferred` syntax:\n\n```puppet\n# GOOD: Passing the parameters as an array\nDeferred(conjur::secret, ['production/postgres/password'])\n```\n\n```puppet\n# BAD: This will not work!\nDeferred(conjur::secret('production/postgres/password'))\n```\n\nYou can read more about Puppet's `Deferred` functions\n[here](https://puppet.com/docs/puppet/6.17/deferring_functions.html).\n\n#### `Sensitive` type\n\n`conjur::secret` returns values wrapped in a `Sensitive` data type. In\nsome contexts, such as string interpolation, it might cause surprising results\n(interpolating to `Sensitive [value redacted]`). This is intentional, as it\nmakes it more difficult to accidentally mishandle secrets.\n\nTo use a `Sensitive` value as a string, you need to explicitly request it using\nthe `unwrap` function. If you are setting other Puppet variables to the value of\nthis secret or if you are creating composite Puppet variables from it, you should\nensure that the resulting value is also wrapped in a `Sensitive` type. In\nparticular, you should not pass unwrapped variables as parameters to Puppet methods\nif you can avoid it. Many Puppet resource functions support `Sensitive` data type\nand handle it correctly.\n\n```puppet\n$dbpass = Deferred(conjur::secret, ['production/postgres/password'])\n\n# Use Sensitive data type to handle anything sensitive\n$db_yaml = Sensitive(Deferred('inline_epp', [\n  'password: \u003c%= $db_password.unwrap %\u003e',\n  { 'db_password' =\u003e $dbpass }\n]))\n\nfile { '/etc/someservice/db.yaml':\n  ensure  =\u003e file,\n  mode    =\u003e '0600',\n  content =\u003e $db_yaml, # This correctly handles both Sensitive and String\n}\n```\n\nNote: We only enforce that the API key from the Conjur configuration is marked\nSensitive, but if any other data in the function parameters is also considered\nsensitive by your organization you may also wrap the whole `Deferred` invocation\nin the `Sensitive` type to prevent accidental disclosure of the sensitive\ninformation to the logs. Note that if you do this, you will need to unwrap the\noutput twice.\n\n## Usage\n\nThis module provides the `conjur::secret` function described above and the `conjur`\nclass, which can be configured to establish Conjur host identity on the node running\nPuppet.\n\n### Methods to establish Conjur host identity\n\nConjur requires an\n[application identity](https://docs.conjur.org/Latest/en/Content/Get%20Started/key_concepts/machine_identity.html)\nfor any applications, machines, or processes that need to interact with Conjur.\n\nPlease note that before getting started configuring your Puppet environment, you'll need\nto load a policy in Conjur to define the application identities that you will be using to\nauthenticate to Conjur. To learn more about\n[creating hosts](https://docs.conjur.org/Latest/en/Content/Operations/Policy/statement-ref-host.htm),\nplease see [the Conjur documentation](https://docs.conjur.org/Latest/en/Content/Resources/_TopNav/cc_Home.htm).\n\nIn the sections below, we'll outline the different methods of providing this\nmodule with your Conjur configuration and credentials. In those sections we'll\nrefer often to the following Conjur configuration variables:\n\n- `appliance_url`: The URL of the Conjur or Conjur Enterprise instance you are connecting to. If using\n  Conjur Enterprise, this may be the URL of a load balancer for the cluster's Conjur Enterprise follower instances.\n- `account` - the account name for the Conjur / Conjur Enterprise instance you are connecting to.\n- `authn_login`: The identity you are using to authenticate to the Conjur / Conjur Enterprise\n  instance. For hosts / application identities, the fully qualified path should be prefixed\n  by `host/`, eg `host/production/my-app-host`.\n- `authn_api_key`: The API key of the identity you are using to authenticate to the\n  Conjur / Conjur Enterprise instance.\n- `ssl_certificate`: The _raw_ PEM-encoded x509 CA certificate chain for the Conjur Enterprise instance you\n  are connecting to, provided as a string (including newlines) or using the\n  [Puppet file resource type](https://puppet.com/docs/puppet/latest/types/file.html).\n  This value may be obtained by running the command:\n  ```sh-session\n  $ openssl s_client -showcerts -servername [DAP_INSTANCE_DNS_NAME] \\\n    -connect [DAP_INSTANCE_DNS_NAME]:443 \u003c /dev/null 2\u003e /dev/null \\\n    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\n  -----BEGIN CERTIFICATE-----\n  ...\n  -----END CERTIFICATE-----\n  ```\n- `version` (optional): Conjur API version, defaults to 5.\n\n_Note that not all variables are required for each method of configuration._\n\n#### Conjur host identity with API key\n\nThe simplest way to get started with a Conjur application identity is to\n[create a host in Conjur](https://docs.conjur.org/Latest/en/Content/Operations/Policy/statement-ref-host.htm)\nand then provide its Conjur credentials to this module. There are a few ways to provide\nthe Conjur Puppet module with these credentials and they are outlined in\nthe following sections.\n\n##### Updating the Puppet manifest\n\nWhen you update the Puppet manifest to include the Conjur host identity and API key, you\nare configuring the Puppet **server** with the Conjur identity information.\n\nIn this example, after you have created a Conjur host named `redis001`, you can add\nits host identity information and its API key to your `Deferred` invocation as an optional\nhash like this:\n```puppet\n$sslcert = @(\"EOT\")\n-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n|-EOT\n\n$dbpass = Deferred(conjur::secret, ['production/postgres/password', {\n  appliance_url =\u003e \"https://my.conjur.org\",\n  account =\u003e \"default\",\n  authn_login =\u003e \"host/redis001\",\n  authn_api_key =\u003e Sensitive(\"2z9mndg1950gcx1mcrs6w18bwnp028dqkmc34vj8gh2p500ny1qk8n\"),\n  ssl_certificate =\u003e $sslcert\n}])\n```\n\n##### Using Hiera\n\nYou can also add the Conjur identity configuration to Hiera, which provides the Conjur\nidentity information to the Puppet **server**. You then would use that information to\npopulate the host identity information:\n\n```yaml\n---\nlookup_options:\n  '^conjur::authn_api_key':\n    convert_to: 'Sensitive'\n\nconjur::account: 'default'\nconjur::appliance_url: 'https://my.conjur.org'\nconjur::authn_login: 'host/myhost'\nconjur::authn_api_key: '\u003cREPLACE_ME\u003e'\nconjur::ssl_certificate: |\n  -----BEGIN CERTIFICATE-----\n  ...\n  -----END CERTIFICATE-----\n```\n\nThen in your manifest, you can fetch the secret like this:\n```puppet\n$sslkey = Deferred(conjur::secret, [\"domains/%{hiera('domain')}/ssl-cert\", {\n  appliance_url =\u003e lookup('conjur::appliance_url'),\n  account =\u003e lookup('conjur::account'),\n  authn_login =\u003e lookup('conjur::authn_login'),\n  authn_api_key =\u003e lookup('conjur::authn_api_key'),\n  ssl_certificate =\u003e lookup('conjur::ssl_certificate')\n}])\n\nfile { '/abslute/path/to/cert.pem':\n  ensure    =\u003e file,\n  content   =\u003e $sslkey,\n}\n```\n\n##### Using Conjur identity files (Linux agents only)\n\nTo configure **Linux agents** with a Conjur host identity, you can add the Conjur host\nand API key to\n[Conjur identity files](https://docs.conjur.org/Latest/en/Content/Get%20Started/key_concepts/machine_identity.html)\n`/etc/conjur.conf` and `/etc/conjur.identity`.\n\nUsing the same `redis001` host as above, you would create a `conjur.conf` file that\ncontains:\n```yaml\n---\naccount: myorg\nplugins: []\nappliance_url: https://conjur.mycompany.com\ncert_file: \"/absolute/path/to/conjur-ca.pem\" # Read from the Puppet agent\n# Alternative for providing the SSL cert\n# ssl_certificate: |\n#  -----BEGIN CERTIFICATE-----\n#  ...\n#  -----END CERTIFICATE-----\n```\n\n| Value Name | Description |\n|-|-|\n| `account` | `Conjur account specified during Conjur setup. |\n| `appliance_url` | `Conjur API endpoint. |\n| `cert_file` | `Path to a file containing the public Conjur SSL cert on the agent. This value **must** be an absolute path and not a relative one. |\n| `ssl_certificate` | `Raw public Conjur SSL cert. Overwritten by the contents read from `cert_file` when it is present. |\n| `version` | Conjur API version. Defaults to `5`. |\n\nNote: **use either `SslCertificate` _or_ `CertFile` but not both as `cert_file`\noverrides the value of `ssl_certificate` setting.**\n\nYou will also need a `conjur.identity` file that contains:\n```netrc\nmachine conjur.mycompany.com\n    login host/redis001\n    password f9yykd2r0dajz398rh32xz2fxp1tws1qq2baw4112n4am9x3ncqbk3\n```\n\n_**NOTE: The `conjur.conf` and `conjur.identity` files contain sensitive\n  Conjur connection information. Care must be taken to ensure that\n  the permissions for these files are set to `600` to\n  disallow any access to these files by unauthorized (non-root) users\n  on a Linux Puppet agent node.**_\n\nThe Conjur Puppet Module automatically checks for these files on your node and uses\nthem if they are available.\n\nTo then fetch your credential, you would use the default form of `conjur::secret`:\n```puppet\n$dbpass = Deferred(conjur::secret, ['production/postgres/password'])\n```\n\n##### Using Windows Registry / Windows Credential Manager (Windows agents only)\n\nTo configure **Windows agents** with a Conjur host identity, you set up the Conjur\nconfiguration in the Windows Registry and in the Windows Credential Manager. The\nRegistry contains the connection general information and the Credential Manager is\nused to store the sensitive authentication credentials.\n\nConnection settings for Conjur are stored in the Windows Registry under the key\n`HKLM\\Software\\CyberArk\\Conjur`. This is equivalent to `/etc/conjur.conf` on Linux. The\nvalues available to set are:\n\n| Value Name | Value Type | Description |\n|-|-|-|\n| `Account` | `REG_SZ` | Conjur account specified during Conjur setup. |\n| `ApplianceUrl` | `REG_SZ` | Conjur API endpoint. |\n| `CertFile` | `REG_SZ` | Path to a file containing the public Conjur SSL cert on the agent. This value **must** be an absolute path and not a relative one. |\n| `SslCertificate` | `REG_SZ` | Raw public Conjur SSL cert. Overwritten by the contents read from `CertFile` when it is present. |\n| `Version` | `REG_DWORD` | Conjur API version. Defaults to `5`. |\n\nThese may be set using Powershell:\n\n```powershell\n\u003e reg ADD HKLM\\Software\\CyberArk\\Conjur /v ApplianceUrl /t REG_SZ /d https://conjur.mycompany.com\n\u003e reg ADD HKLM\\Software\\CyberArk\\Conjur /v Version /t REG_DWORD /d 5\n\u003e reg ADD HKLM\\Software\\CyberArk\\Conjur /v Account /t REG_SZ /d myorg\n\u003e reg ADD HKLM\\Software\\CyberArk\\Conjur /v SslCertificate /t REG_SZ /d \"-----BEGIN CERTIFICATE-----...\"\n```\n\nOr using a `.reg` registry file (**`SslCertificate` value cannot be set this way - you must\nset this value via command line**):\n```reg\nWindows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\CyberArk\\Conjur]\n\"ApplianceUrl\"=\"https://conjur.mycompany.com\"\n\"Version\"=dword:00000005\n\"Account\"=\"myorg\"\n```\n\n_**NOTE: It is important from a security perspective to ensure that\nunauthorized, non-administrator users do not have write access to Conjur\nconnection settings in the Windows Registry. Disabling write access for\nunauthorized users to these settings will help to prevent potential malicious\nredirection of sensitive Puppet agent messages. Read-only access for\nnon-administrator users to Conjur connection information can be confirmed via\n`regedit` on the Windows Desktop, or by running the following command from a\nPowerShell to confirm that only the `ReadKey` flag is set:**_\n\n```powershell\nPS C:\\\u003e Get-Acl -Path HKLM:SOFTWARE\\CyberArk\\Conjur | fl * | Out-String -stream | Select-String \"BUIL\nTIN\\\\Users\"\n\nAccessToString          : BUILTIN\\Users Allow  ReadKey\n```\n\nCredentials for Conjur are stored in the Windows Credential Manager. The credential\n`Target` is the Conjur appliance URL (e.g. `https://conjur.mycompany.com`).\nThe username is the host ID, with a `host/` prefix (e.g. `host/redis001`, as in previous\nexamples) and the credential password is the host's API key. This is equivalent to\n`/etc/conjur.identity` on Linux.\n\nThis may be set using Powershell:\n```powershell\n\u003e cmdkey /generic:https://conjur.mycompany.com /user:host/redis001 /pass\nEnter the password for 'host/my-host' to connect to 'https://conjur.net/authn': #\n{Prompt for API Key}\n\nCMDKEY: Credential added successfully.\n```\n\nTo then fetch your credential, you would use the default form of `conjur::secret`:\n```puppet\n$dbpass = Deferred(conjur::secret, ['production/postgres/password'])\n```\n\n## Troubleshooting\n\nFor a complete guide on troubleshooting, please see\n[TROUBLESHOOTING.md](https://github.com/cyberark/conjur-puppet/blob/main/TROUBLESHOOTING.md).\n\n## Reference\n\nFor a complete reference, please see\n[REFERENCE.md](https://github.com/cyberark/conjur-puppet/blob/main/REFERENCE.md).\n\n## Limitations\n\nSee [metadata.json](https://github.com/cyberark/conjur-puppet/blob/main/metadata.json)\nfor supported platforms.\n\nAt current, the Conjur Puppet module encrypts and decrypts the Conjur access\ntoken using the Puppet server’s private/public key pair. This is known to be\nincompatible with using multiple [compile masters](https://puppet.com/docs/puppetserver/5.3/scaling_puppet_server.html).\n\n## Contributing\n\nWe welcome contributions of all kinds to this repository. For instructions on\nhow to get started and descriptions of our development workflows, please see our\n[contributing guide][contrib].\n\n[contrib]: https://github.com/cyberark/conjur-puppet/blob/main/CONTRIBUTING.md\n\n## Support\n\nPlease note, that this is a \"Partner Supported\" module, which means that technical\ncustomer support for this module is solely provided by CyberArk.\n\nPuppet does not provide support for any Partner Supported modules. For technical\nsupport please visit the Conjur channnel at [CyberArk Commons](https://discuss.cyberarkcommons.org/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fconjur-puppet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2Fconjur-puppet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fconjur-puppet/lists"}