hiera-gpg not resolving variables, P3.8

asked 2015-11-13 09:36:36 -0600

asktbt gravatar image


Hiera when invoked by the puppetserver does not find the variables in the encrypted *.gpg files and therefore not delier back values.



  • Puppet OpenSource, v3.8
  • CentOS 7
  • Hiera v.1.4
  • gpgme, v.2.0.10 (gem)
  • hiera-gpg, v.1.1.0 (gem)


Parameter from classes which are set in an encrypted gpg file are not resolved. None of these mechanisms lead to a value other than 'UNSET' for the parameter password:

class example (
  $password = 'UNSET'
) {}
class example (
  $password = hiera('password', 'UNSET')
) {}
class example (
  $password = 'UNSET'
) {
  $password = hiera('password)

Content of the encrypted YAML file:

example::password: secretpassword1
password: secretpassword2


  1. Putting the password with the same syntax into a file that is being picked up by the YAML backend, the resolving works and the Puppet master gets the correct string from the YAML backend.
  2. Putting the password back into the gpg file and running hiera on the command line with the user running the service puppetserver returns the correct result from the gpg backend:

    $ hiera -c /etc/hiera.yaml example::pasword environment=prod
    $ hiera -c /etc/hiera.yaml password environment=prod
  3. The user can read the encrypted gpg file also directly:

    $ gpg -d /etc/hiera/prod/passwords.gpg
    example::password: secretpassword1
    password: secretpassword2
  4. The service puppetserver has been restarted (start/stop/restart) mutiple times and especially after changes to the hiera configuration and import of the gpg keys.

  5. hiera-gpg has been installed as a GEM without remote access:

    $ yum install gpgme
    $ gem install hiera-gpg.gem
  6. I have got a working reference system on Puppet v.3.1 running and working, so hiera-gpg is not completely unknown to me.

  7. It took me a while to realize that the service puppetserver was not running as user root (as in older puppet versions), but with the user puppet instead. After importing the secret gpg key into the keychain of the new user, decryption also worked for that one.


These articles have been studies and applied and checked where reasonable/possible:


I am currently at the end of the testing and thinking process (it's also Friday evening here) and I am out of ideas why the backend might not work in Puppet. The only hook it could follow would be the installation of the hiera-gpg.gem without internet access. But for opening the firewall it is too late to send out a request today and since hiera is retrieving data from the gpg backend on the command line, I haven't got much hope that this might be the reason.
If I missed something obvious, done something wrong or could get any other clue on what approach might get me further into to how to store secrets in hiera (eyaml comes to mind), I'd appreciate.

Have a nice weekend everybody.

edit retag flag offensive close merge delete