Saltstack 在外部外部支柱中使用环境变量

Question

I have a salt external pillar that is designed to connect to a remote resource and fetch secrets then inject them into my minion's pillar data. To connect to the remote resource I need to pass the credentials securely to the external pillar. I have tried doing this from environment variables, and I would prefer not writing the credentials to disk. My issue is that salt is not able to access the environment variables I export before execution.

My external pillar looks something like this:

import os
access_key, secret_key = os.environ.get('ACCESS_KEY', None), os.environ.get('SECRET_KEY', None)


def __virtual__():
    if access_key is None or secret_key is None:
        return False
    return 'my_pillar_module'

Then I would like execute this code like this:

export ACCESS_KEY
export SECRET_KEY
salt 'my.minion' pillar.data  # or any other salt invocation

The above execution does not work because the os.environ object does not see the exported env vars. I can get around this by writing a temporary file out and reading from it, but I was wondering if there is a better way to do this. Open to suggestions and prefer not writing out my credentials.

Answer 1

I was able to set my credentials as environment variables then pass them to the salt command via pillar data. By doing this I never write the credentials to disk. External CI/CD systems like Jenkins or GitHub Actions can call this same way and never store creds on box! Example below:

export MY_TOKEN
export MY_SECRET

salt 'my.minion' pillar='{"TOKEN": "'$MY_TOKEN'", "SECRET": "'$MY_SECRET'"}'

Then inside the external pillar I used the ext_method's pillar data to set the variables as need be.

def ext_pillar(minion_id, pillar, **kwargs):
    token, secret = pillar.get('TOKEN', None), pillar.get('SECRET', None)
    if not token or not secret:
        return {}
    # Use credentials and return pillar data
    return pillar_data