Sensitive

Sensitive types in the Puppet language are strings marked as sensitive. The value is displayed in plain text in the catalog and manifest, but is redacted from logs and reports. Because the value is maintained as plain text, use it only as an aid to ensure that sensitive values are not inadvertently disclosed.

The Sensitive type can be written as Sensitive.new(val), or the short form Sensitive(val).

Parameters

The full signature for Sensitive is:

Sensitive.new([<STRING VALUE>])

The Sensitive type is parameterized, but the parameterized type (the type of the value it contains) only retains the basic type. Sensitive information about the length or details about the contained data value can otherwise be leaked.

It is therefore not possible to have detailed data types and expect that the data type match. For example, Sensitive[Enum[red, blue, green]] fails if a value of Sensitive('red') is given. When a sensitive type is used, the type parameter must be generic; in this example a Sensitive[String] instead would match Sensitive('red').

Consider, for example, if you assign a sensitive value and call notice:

$secret = Sensitive('myPassword')
notice($secret)

The example manifest would log the following notice:

Notice: Scope(Class[main]): Sensitive [value redacted]

To gain access to the original data, use the unwrap function:

$secret = Sensitive('myPassword')
$processed = $secret.unwrap
notice $processed

Use Sensitive and unwrap only as an aid for logs and reports. The data is not encrypted.

Note: Sensitive puts no limit on the wrapped data and can wrap other types, but they do not fully reveal the type of that data when type checking because it reveals too much detail.