Ask Your Question

Eyaml decrypts to null string?

asked 2016-02-02 11:21:30 -0600

wsanders1 gravatar image

updated 2016-02-02 19:19:23 -0600

I have an yaml file, it has an encoded string in it. Our admins allow us to mix yaml and eyaml (see below for hiera.yaml) I can read and edit the eyaml with "eyaml edit":

  - 'cobbler'
  - 'repo-man'
cobbler::cobblersshkey: >

When I run the module on a puppet client, with a module that just prints the value of each variable, I get a null value for the string:

Manifest puppet code:

   class cobbler ($cobblerservers = ['IN HIERA'], $cobblerslaves = ['IN HIERA']) {
   $cobblerservers.each | String $host | {
    notify { "SERVER HOST: $host": }
  $cobblerslaves.each | String $host | {
    notify { "SLAVE HOST: $host": }
  notify { "KEY: $cobblersshkey": }
  file { '/tmp/keytest':
    ensure => file,
    content => "$cobblersshkey",


notice: SERVER HOST: cobbler
Notice: /Stage[main]/Cobbler/Notify[SERVER HOST: cobbler]/message: defined 'message' as 'SERVER HOST: cobbler'
Notice: SLAVE HOST: repo-man
Notice: /Stage[main]/Cobbler/Notify[SLAVE HOST: repo-man]/message: defined 'message' as 'SLAVE HOST: repo-man'
Notice: KEY:
Notice: /Stage[main]/Cobbler/Notify[KEY: ]/message: defined 'message' as 'KEY: '
Notice: Applied catalog in 0.90 seconds
(The file /tmp/keytest also gets created and is an empty file)

How can I debug why the eyaml block isn't getting decoded? If it were getting misinterpreted as plain yaml instead of eyaml I'd see the encrypted block, right? Do I need to install eyaml / gpg / keys on the puppet client? As I understand it decryption is done on the puppet master, right?

hiera.yaml file on puppet master:

  - "node/%{fqdn}"
  - "domain/%{domain}"
  - "%{application}/%{stage}"
  - "%{application}"
  - common
  - eyaml
  - yaml
  :datadir: "/etc/puppetlabs/code/hiera/%{environment}"
  :datadir: "/etc/puppetlabs/code/hiera/%{environment}"
  :extension: 'yaml'
  :encrypt_method: 'gpg'
  :gpg_gnupghome: '/etc/puppetlabs/gpghome'
  :gpg_recipients: ''
edit retag flag offensive close merge delete


Do you have the hiera-eyaml-gpg backend installed? It is required for using gpg with hiera eyaml.

lavaman gravatar imagelavaman ( 2016-02-02 14:05:10 -0600 )edit

Yes, and keys are all set up. After consulting with my local policy experts, who requested that I use my own gpg key, I generated my own key. The puppet master already has its own key. So, I generated the encrypted block with myself and the puppet master's key as recipients, and I can edit it with

wsanders1 gravatar imagewsanders1 ( 2016-02-02 17:25:36 -0600 )edit

"eyaml edit" and decrypt it with "eyaml decrypt". I also imported my own public key into the puppet master's keyring in /etc/puppetlabs/gpghome.

wsanders1 gravatar imagewsanders1 ( 2016-02-02 17:26:25 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2016-02-02 19:14:13 -0600

wsanders1 gravatar image


This was a hiera misconfiguration. I'm not a hiera expert, but I seem to have to "declare" the hiera data in my manifest for the code to see the variable:

changed the first line from:

  class cobbler ($cobblerservers = ['IN HIERA'], $cobblerslaves = ['IN HIERA']) {


  class cobbler ($cobblerservers = ['IN HIERA'], $cobblerslaves = ['IN HIERA'], $cobblersshkey='IN HIERA') {

There is probably a better way to do this....

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-02-02 11:21:30 -0600

Seen: 149 times

Last updated: Feb 02 '16