Configure puppet access

The puppet access command allows users to generate and manage authentication tokens from the command line of any workstation (Puppet-managed or not), without the need to SSH into the primary server. If you want to use puppet access, ensure it is configured correctly before using it to generate authentication tokens.

The configuration file for puppet access allows you to define default settings so that you can generate tokens from the CLI without having to pass additional flags.

Whether you are running puppet access on a PE-managed server or installing it on a separate work station, you need a global configuration file and a user-specified configuration file.

Global configuration file

The global configuration file is located at:

  • On *nix systems:/etc/puppetlabs/client-tools/puppet access.conf
  • On Windows systems:C:/ProgramData/PuppetLabs/client-tools/puppet access.conf

On machines managed by Puppet Enterprise (PE), the global configuration file is created for you. The configuration file is formatted in JSON. For example:

{
    "service-url": "https://<CONSOLE_HOSTNAME>:4433/rbac-api",
    "token-file": "~/.puppetlabs/token",
    "certificate-file": "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
}
PE determines and populates the service-url setting.

If you're running puppet access from a workstation not managed by PE, you must create the global file and populate it with the required configuration file settings.

User-specified configuration file

The user-specified configuration file is located at ~/.puppetlabs/client-tools/puppet access.conf for both *nix and Windows systems.

The user-specified configuration file always takes precedence over the global configuration file. For example, if the two files have contradictory settings for the token-file, the user-specified setting prevails.

You must create the user-specified file and populate it with the configuration file settings. A list of configuration file settings is found in Configuration file settings for puppet access.

User-specified configuration files must be in JSON format. HOCON and INI-style formatting are not supported.