PAM360 Plugins for Chef and Puppet

9 minutes to read

Chef

  1. Introduction to Chef
  2. Steps to set up the PAM360 plugin for Chef

    2.1 Enabling Chef integration in PAM360

    2.2 Invoking the PAM360 plugin in Chef

Puppet

  1. Introduction to Puppet
  2. Steps to set up the PAM360 plugin for Puppet

    2.1 Enabling Puppet integration in PAM360

    2.2 Invoking the PAM360 plugin in Puppet

Sample Codes

  1. Sample code to fetch resource and account details using the PAM360 plugin
  2. Sample code to fetch the password using the PAM360 plugin

Chef

1. Introduction to Chef

Chef is a ruby-based configuration management tool that provides a way to define infrastructure as code (IAC) wherein managing infrastructure is made simple through writing code rather than using manual processes. Chef operates using a Client-Server architecture.

The PAM360 lookup plugin developed for Chef helps improve security and ease of Password Management in an organization's DevOps pipeline. Once imported into Chef, the PAM360 plugin can fetch credentials and account information directly from the PAM360 vault during Chef cookbook runtime, thus eliminating the need to use hard-coded credentials. Upon secure retrieval, the credentials can then be used for actions such as connecting to a remote host. The credentials stored in PAM360 are regularly rotated in the vault and also updated in the respective remote device; this ensures that only the latest passwords or keys are retrieved from the vault when the Chef plugin is invoked.

2. Steps to Set Up the PAM360 Plugin for Chef

The following are the steps to set up and manage sensitive credentials in Chef with PAM360.

  1. Enabling Chef integration in PAM360.
  2. Invoking the PAM360 plugin in the Chef cookbooks.

2.1 Enabling Chef Integration in PAM360

  1. Log into PAM360 and navigate to Admin >> Integration >> CI/CD Platform Integration.
  2. Click the Chef option.
  3. In the CI/CD Platform Integration window, click Generate to populate an AUTH Token automatically. This will be required later while invoking the plugin in the Chef cookbooks. Once set up, all incoming connections from Chef will be validated by PAM360 using this AUTH token.


  4. Enter the username of an active PAM360 user. PAM360 will map the auth token to this user account and it will be used to retrieve required passwords from PAM360's vault. Once PAM360 maps the auth token to this user, the resources owned/shared to this user can also be accessed using this auth token.  
  5. Click Enable.

Note: Ensure that the PAM360 user account you provide has the minimum required permissions for this workflow i.e. privilege to view/retrieve the passwords of resources which Chef has to connect to. The passwords of resources owned by and shared to this user are the only credentials that Chef will have access to in PAM360.

2.2 Invoking the PAM360 Plugin in Chef

Import PAM360's ruby gem into your Chef cookbooks by executing the following:

2.2.1 Initialize the PAM360 Class Object with Credentials

syntax:gemData = PAM360Gem.new("Hostname","Auth token",Path,port number)

Wherein,

  • Host name = The PAM360 hostname of the account whose username was provided in Step 2.1.
  • Auth Token = The respective auth token generated in Step 2.1.
  • Path = Path to SSL certificate of the PAM360 server.
  • Port number = The port number used for your PAM360 server. You need to specify this only if the port used is not the default PAM360 port 8282.

2.2.2 Methods To Be Applied to the Chef Cookbook to Invoke the PAM360 Plugin

gemData.getAccountPassword("resource name","account name")

This method fetches the account password as a string.

gemData.getAccountDetails("resource name","account name")

This method returns the resource and account details in the array of JSON format.

Puppet

1. Introduction to Puppet

Puppet is a ruby-based configuration management tool similar to Chef. Puppet also operates using a Client-Server architecture in which the Master and Slave communicate through a secure encrypted channel with the help of SSL. Puppet is mainly used for deploying, configuring and managing servers. Similar to Chef, the PAM360 lookup plugin can retrieve passwords from PAM360's vault when invoked.

2. Steps to Set Up the PAM360 Plugin for Puppet

The following are the steps to set up and manage sensitive credentials in Puppet with PAM360.

  1. Enabling Puppet integration in PAM360.
  2. Invoking the PAM360 plugin in Puppet.

2.1 Enabling Puppet Integration in PAM360

  1. Log into PAM360 and navigate to Admin >> Integration >> CI/CD Platform Integration.
  2. Click the Puppet option.
  3. In the CI/CD Platform Integration window, click Generate to populate an AUTH Token automatically. This will be required later while invoking the plugin in Puppet. Once set up, all incoming connections from Puppet will be validated by PAM360 using this AUTH token.


  4. Enter the username of an active PAM360 user. PAM360 will map the auth token to this user account and it will be used to retrieve required passwords from PAM360's vault. Once PAM360 maps the auth token to this user, the resources owned/shared to this user can also be accessed using this auth token.
  5. Click Enable.

Note: Ensure that the PAM360 user account you provide has the minimum required permissions for this workflow i.e. privilege to view/retrieve the passwords of resources which Puppet has to connect to. The passwords of resources owned by and shared to this user are the only credentials that Puppet will have access to in PAM360.

2.2 Invoking the PAM360 Plugin in Puppet

Import PAM360's ruby gem into Puppet by executing the following:

2.2.1 Initialize the PAM360 Class Object with Credentials

syntax:gemData = PAM360Gem.new("Hostname","Auth token",Path,port number)

Wherein,

  • Host name = The PAM360 hostname of the account whose username was provided in Step 2.1.
  • Auth Token = The respective auth token generated in Step 2.1.
  • Path = Path to SSL certificate of the PAM360 server.
  • Port number = The port number used for your PAM360 server. You need to specify this only if the port used is not the default PAM360 port 8282.

2.2.2 Methods To Be Applied to Puppet to Invoke the PAM360 Plugin

getAccountPassword(resourceName,AccountName)

This method fetches the account password as a string.

getAccountDetails(resourceName,AccountName)

This method returns the resource and account details in the array of JSON format.

Sample Codes

1. Sample Code to Fetch Resource and Account Details using the PAM360 Plugin

The following are the sample input and output codes and the corresponding sample responses to fetch the account details using the PAM360 plugin. The sample codes remain the same for both Chef and Puppet.

Sample Input

gem 'PAM360_Gem'

require 'PAM360_Gem' gemData = PAM360Gem.new("localhost","060CCDB8-71A0-4B8B-AC57-XXXXX","/home/local/user/servercertificate")

# resourcename = Windows accountname = useraccount1

puts("resourcedetails\n")

result = gemData.getAccountDetails("Windows ","useraccount1"))

puts(result[0])

puts("accountdetails\n")

puts(result[1])

Sample Output

resource details
{"RESOURCE_ID":1,"RESOURCE_NAME":"Windows","RESOURCE_DESCRIPTION":"","OPERATINGSYSTEM":"Windows","DNSNAME":"","DEPARTMENT":"","LOCATION":"","RESOURCE_URL":""} account details
{"ACCOUNTNAME":"useraccount1","PASSWORD":"Test@123"}

2. Sample Code to Fetch the Password using the PAM360 Plugin

The following are the sample input and output codes and the corresponding sample responses to fetch the password using the PAM360 plugin. The sample codes remain the same for both Chef and Puppet.

Sample Input

gem 'PAM360_Gem'

require 'PAM360_Gem'

gemData = PAM360Gem.new("localhost","060CCDB8-71A0-4B8B-AC57-XXXXX","/home/local/user/servercertificate")

# resourcename = Windows accountname = useraccount1

puts("accountpassword\n")

puts(gemData.getAccountPassword("Windows ","useraccount1"

Sample Output

accountpassword
Test@123

For more information on Chef and Puppet, refer to the following links:

Chef: https://www.chef.io

Puppet: https://puppet.com/

Top
Back to Top