Is possible to encrypt password in manifest file Windows-dsc module-SOLVED

asked 2018-10-31 13:06:16 -0600

dragan979 gravatar image

updated 2018-11-05 03:08:45 -0600

I installed dsc module and added AD user to Domain controller using puppet. Code below works fine when hard-coding password as plain text. Is it possible somehow to encrypt those passwords.

I read that hiera-eyaml is solution for this so i encrypted password

[root@PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml
 encrypt -p Enter password: **********

Then stored that encrypted pass in /etc/common.eyaml file (specified in hiera config file)

/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml

I can decrypt the file successfully:

 /opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml

Then i specified encrypted pass to manifest file


 dsc_xADUser {'FirstUser':

            dsc_ensure => 'present',
            dsc_domainname => '',
            dsc_username   => 'tfl',
            dsc_userprincipalname => '',
            dsc_password   => {
            'user' => '',
            'password' => Sensitive('pass')
            dsc_passwordneverexpires => true,
            dsc_domainadministratorcredential => {
            'user'  => '',


On windows node i got error

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not parse for environment production: Syntax error at '+' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 69, column: 123) on node when putting quote around the pass then getting:Password doesn't meet complexity....

Hiera config file:

cat /etc/puppetlabs/puppet/hiera.yaml

version: 5
  datadir: data
  data_hash: yaml_data
  - name: "Eyaml hierarchy"
    lookup_key: eyaml_lookup_key # eyaml backend
       - "/etc/common.yaml"
       pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
      pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"

How to map this password from hiera to site.pp file ?

edit retag flag offensive close merge delete


The encrypted value needs to go in an eyaml file in your hieracy, not directly in your manifest.

DarylW gravatar imageDarylW ( 2018-11-01 08:44:14 -0600 )edit

Thanks it works!!

dragan979 gravatar imagedragan979 ( 2018-11-05 03:08:26 -0600 )edit