Using Puppet with autoscaling AWS EC2 instances

One of the security features built in to puppet is the use of certificates so that the puppet master can confirm the authenticity of clients. The puppet agent on a client presents the master with a CSR (Certificate Signing Request) which the master will sign. However, when AWS autoscaling groups are used, instances are launched automatically so the manual signing of certificates is not appropriate.

To get around this autosigning can be enable on the Puppet master. A number of autosgining options are available:

  • Naive - enabled by adding autosign = true to the [master] section of puppet.conf Not recommended as it's insecure. allowing any agent to join.
  • Basic - uses a white list of hostnames that can autosign, enabled by adding autosign = white_list_file to the [master] section of puppet.conf. This is OK to use in fully trusted environments where you know that only trusted computers can connect to the master,
  • Policy Based - An external policy executable will be run each time the master receives a CSR. The CSR will be checked before it is approved for autosigning. We will use this for this example.

The first step to use policy based autosigning is to ensure the CSR submitted has the correct format. To do this a file called csr_attributes.yaml needs to be created in the puppet configuration directory, e.g. /etc/puppet . This should have the following format:

    1.2.840.113549.1.9.7: q3tjz88qmabtnTa8KtkCs2z5rXZ3vXsa
    pp_instance_id: $(curl -s
    pp_image_name:  $(curl -s

The custom_attribute specifies an OID (object identifier). The OID 1.2.840.113549.1.9.7 is part of X.509 functionality and is the challengePassword attribute.

The extension_requests are puppet specific OIDs ( a full list can be found on and the values are populated using the metadata of the EC2 instance.

You can either embed the csr_attributes.yaml file in the AMI used in the autoscaling launch configuration or add it to your userdata run when the instance is launched, e.g.

if [ ! -d /etc/puppet ]; then
   mkdir /etc/puppet
erb > /etc/puppet/csr_attributes.yaml <<END
    1.2.840.113549.1.9.7: q3tjz88qmabtnTa8KtkCs2z5rXZ3vXsa
    pp_instance_id: $(curl -s
    pp_image_name:  $(curl -s

(assumes erb binary is installed on your instance)

Finally, you need a script to process the CSR.


/usr/bin/openssl req -noout -text -in /var/lib/puppet/ssl/ca/requests/${CLIENT}.pem | grep q3tjz88qmabtnTa8KtkCs2z5rXZ3vXsa

Assuming the script is /etc/puppet/ , update puppet.conf so that autosign = /etc/puppet/ . The script needs to owned and executable by the user the master process runs as, e.g. the user puppet

Recent Changes

Contribute to this wiki

Why not help others by sharing your knowledge? Contribute something to this wiki and join out hall of fame!
Contact us for a user name and password