{"id":20723250,"url":"https://github.com/unruly/hiera-secrets-manager","last_synced_at":"2025-08-09T04:05:00.607Z","repository":{"id":54608200,"uuid":"145117327","full_name":"unruly/hiera-secrets-manager","owner":"unruly","description":":key: Hiera backend using AWS Secrets Manager","archived":false,"fork":false,"pushed_at":"2021-02-08T15:58:37.000Z","size":46,"stargazers_count":5,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-27T21:42:24.221Z","etag":null,"topics":["aws-secrets-manager","hiera","puppet"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unruly.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-17T12:22:31.000Z","updated_at":"2021-07-14T15:24:20.000Z","dependencies_parsed_at":"2022-08-13T21:20:33.664Z","dependency_job_id":null,"html_url":"https://github.com/unruly/hiera-secrets-manager","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/unruly/hiera-secrets-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unruly%2Fhiera-secrets-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unruly%2Fhiera-secrets-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unruly%2Fhiera-secrets-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unruly%2Fhiera-secrets-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unruly","download_url":"https://codeload.github.com/unruly/hiera-secrets-manager/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unruly%2Fhiera-secrets-manager/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269527567,"owners_count":24432442,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-09T02:00:10.424Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-secrets-manager","hiera","puppet"],"created_at":"2024-11-17T04:08:03.843Z","updated_at":"2025-08-09T04:05:00.553Z","avatar_url":"https://github.com/unruly.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hiera AWS Secrets Manager Backend :key:\n\n[![Build Status](https://travis-ci.org/unruly/hiera-secrets-manager.svg?branch=master)](https://travis-ci.org/unruly/hiera-secrets-manager)\n[![Gem Version](https://badge.fury.io/rb/hiera-secrets-manager.svg)](https://badge.fury.io/rb/hiera-secrets-manager)\n\nA hiera backend to query AWS Secrets Manager which uses Puppet Environments for namespacing.\n\n```bash\n$ hiera 'my_system/password' \\\n    environment=prod \\\n    --config ~/hiera.yaml \\\n    --debug\n\nDEBUG: 2018-08-30 16:54:00 +0000: AWS Secrets Manager backend starting\nDEBUG: 2018-08-30 16:54:00 +0000: Retrieved Secret 'production/my_system/password' with version '2d06f591-ef4c-4e4e-8c6c-5e3668db9180'\n\nmYs3cR3TpAs5W0rD\n```\n\n## Contents\n\n- [Install](#install)\n- [Supported Lookups](#supported-lookups)\n- [Configuration](#configuration)\n  - [Region](#region)\n  - [Credentials](#credentials)\n  - [Environments](#environments)\n- [Contributing](#contributing)\n  - [Code of Conduct](#code-of-conduct)\n  - [Getting Started](#getting-started)\n  - [Building](#building)\n  - [Releasing a Change](#releasing-a-change)\n- [License](#license)\n\n## Install\n\nTo install the gem manually:\n\n```bash\ngem install hiera-secrets-manager\n```\n\nInstall the dependencies before attempting to use the gem:\n\n```\nbundle install\n```\n\n## Supported Lookups\n\nhiera-secrets-manager supports `:priority` (single value) and `:hash` (key-value pair) lookups, but not `:array`.\n\n### Priority Lookup\n\n```puppet\n# In environment 'production' with 'production/system/my-secret' set as 'some-password'\n$secret = hiera('system/my-secret')\n\nnotice($secret) # prints 'Notice: Scope(Class[main]): some-password'\n```\n\n### Hash Lookup\n\n```puppet\n# In environment 'production' with 'production/system/my-secret' set as pairs 'foo:bar' and 'baz:zap'\n$secret = hiera_hash('system/my-secret')\n\nnotice($secret['foo']) # prints 'Notice: Scope(Class[main]): bar'\nnotice($secret['baz']) # prints 'Notice: Scope(Class[main]): zap'\n\nnotice($secret) # prints 'Notice: Scope(Class[main]): {\"foo\"=\u003e\"bar\", \"baz\"=\u003e\"zap\"}'\n```\n\n## Configuration\n\nHiera Secrets Manager is configurable and the configuration has three required fields to operate: region, access_key_id, and secret_access_key.\n\nAn example hiera.yaml file implementing only hiera-secrets-manager is below:\n\n```yaml\n:backends:\n  - secrets_manager\n:secrets_manager:\n    :region: eu-west-1\n    :access_key_id: AWSACCESSKEY\n    :secret_access_key: rAnd0MsTr!nG\n    :environments:\n        dev: development\n        uat: staging\n        prod: production\n```\n\n### Region\n\nMandatory field. Corresponds to AWS Region where your secrets are stored e.g. `eu-west-1`\n\n### Credentials\n\nCredentials for the AWS user are mandatory. The user must have permission to use `secretsmanager:GetSecretValue` on any relevant secrets in AWS Secrets Manager. This permission can be configured in AWS IAM.\n\n#### access_key_id\n\nMandatory field. Corresponds to AWS's `Access key ID`.\n\n#### secret_access_key\n\nMandatory field. Corresponds to AWS's `Secret access key`.\n\n### Environments\n\nOptional field. When used with Puppet, an environment will always be present. These key value pairs map the environments in Puppet to namespaces in AWS.\n\n```yaml\n:environments:\n    dev: development\n    uat: staging\n    prod: production\n```\n\n- A lookup for key `foo` in environment `dev` will query AWS Secrets Manager for `development/foo`\n\nIf there is no key set for an environment, or no environments configuration at all, the secret name that will be queried in AWS Secrets Manager will by default  be prefixed with the Puppet environment name:\n\n- A lookup for key `zap` in environment `test` will query AWS Secrets Manager for `test/zap`, because there's no entry for `test` in the environments configuration.\n\n## Contributing\n\n### Code of Conduct\n\nEveryone interacting with this project is required to follow the [Code of Conduct](./CODE_OF_CONDUCT.md).\n\n### Getting Started\n\nYou'll need Git, Ruby, and Bundler installed. \nThen clone this project, and install its dependencies:\n\n```bash\n$ git clone git@github.com:unruly/hiera-secrets-manager\n$ bundle install\n```\n\nYou can run `rake` in the project root to run RSpec tests, and check test coverage.\n\n### Building\n\n- To build a gem on your local machine, run `gem build hiera-secrets-manager.gemspec`, which will create a .gem file with the current version number.\n- Install the gem with `gem install hiera-secrets-manager-{VERSION}.gem`, specifying the version number.\n\n### Releasing a Change\n\n- To release a new version:\n  - Update the version number in `hiera-secrets-manager.gemspec`\n  - Ensure versions are in line with the [Semantic Versioning](https://semver.org/) convention.\n  - Open a pull request against this repository.\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](./LICENSE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funruly%2Fhiera-secrets-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funruly%2Fhiera-secrets-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funruly%2Fhiera-secrets-manager/lists"}