Example Packer with Vault integration

I’m using Packer for deploying Windows templates on VMware environments using “vsphere-iso”. This works great!

The usernames and passwords are in clear text which causes a security issue.
Vault can solve this problem.

I have Vault installed on a Windows server and configured kv secrets. How do I configure the Packer to interact with Vault? Does anybody have an example?

We don’t claim this is best practice and we only use http on the localhost, https should just be filling in the values for your setup.

export VAULT_ADDR=
export VAULT_USER_TOKEN="$(secret-tool lookup vault your policy user|head)"
export VAULT_TOKEN="$(VAULT_TOKEN=${VAULT_USER_TOKEN} vault token create \
                                      -format=json \
                                      -policy="yours/packer" \
                                      -period=2h | \
                                      jq -r ".auth.client_token")"
packer build .....

In your packer template you would then use Packer’s vault function.

If you require that a secret be retrieved by some provisioning script, ansible, chef, puppet etc., then you have to make one of the following choices:

  • Retrieve the secret in your Packer template and pass it to your script as an env-var. Make sure to add this variable to Packer’s sensitive_variables list.
  • Make your Vault server accessible to the VM that your provisioning script runs on.
  • SSH tunnel your local Vault connection to the VM that your provisioning script runs on.

You could also setup your builds so that secrets only get added at the time the image runs, rather than builds. However we don’t use that approach and I’ll leave others to elaborate on that use case.

Hope that helps?

1 Like

Here’s a demo repo and README with a detailed tutorial: GitHub - SwampDragons/cool_new_features_demos: demo files used in my HashiTalk about newish Packer features

Thanks for the info!