Hiera 1: Command Line Usage

Included in Puppet Enterprise 3.8. A newer version is available; see the version menu above for details.

Note: We’ve released a major update to Hiera called Hiera 5. It’s built into Puppet 4.9 and higher, and includes features like per-environment hierarchies, module data, simplified custom backends, improved debugging with puppet lookup --explain, and more.

As part of this update, we’ve moved Hiera’s documentation into the Puppet reference manual. Once you’ve upgraded to Puppet 4.9 or higher, see the following pages for more info about the new Hiera:

Hiera provides a command line tool that’s useful for verifying that your hierarchy is constructed correctly and that your data sources are returning the values you expect. You’ll typically run the Hiera command line tool on a puppet master, making up the facts agents would normally provide the puppet master using a variety of fact sources.


The simplest Hiera command takes a single argument — the key to look up — and will look up the key’s value using the static data sources in the hierarchy.

$ hiera ntp_server

A more standard invocation will provide a set of variables for Hiera to use, so that it can also use its dynamic data sources:

$ hiera ntp_server --yaml web01.example.com.yaml

Configuration File Location

The Hiera command line tool looks for its configuration in /etc/hiera.yaml, which is different from both Puppet Enterprise and open source Puppet. You can use the --config argument to specify a different configuration file. See the documentation on Hiera’s configuration file for notes on where to find this file depending on your Puppet version and operating system, and consider either reconfiguring Puppet to use /etc/hiera.yaml (Puppet 3) or set a symlink to /etc/hiera.yaml (Puppet 2.7).

Order of Arguments

Hiera is sensitive to the position of its command-line arguments:

  • The first value is always the key to look up.
  • The first argument after the key that does not include an equals sign (=) becomes the default value, which Hiera will return if no key is found. Without a default value and in the absence of a matching key from the hierarchy, Hiera returns nil.
  • Remaining arguments should be variable=value pairs.
  • Options may be placed anywhere.


Hiera accepts the following command line options:

Argument Use
-V, --version Version information
-c, --config FILE Specify an alternate configuration file location
-d, --debug Show debugging information
-a, --array Return all values as a flattened array of unique values
-h, --hash Return all hash values as a merged hash
-j, --json FILE JSON file to load scope from
-y, --yaml FILE YAML file to load scope from
-m, --mcollective IDENTITY Use facts from a node (via mcollective) as scope
-i, --inventory_service IDENTITY Use facts from a node (via Puppet’s inventory service) as scope

Fact Sources

When used from Puppet, Hiera automatically receives all of the facts it needs. On the command line, you’ll need to manually pass it those facts.

You’ll typically run the Hiera command line tool on your puppet master node, where it will expect the facts to be either:

Descriptions of these choices are below.

Command Line Variables

Hiera accepts facts from the command line in the form of variable=value pairs, e.g. hiera ntp_server ::osfamily=Debian clientcert="web01.example.com". Variables on the command line must be specified in a way that matches how they appear in hiera.yaml, including the leading :: for facts and other top-scope variables. Variable values must be strings and must be quoted if they contain spaces.

This is useful if the values you’re testing only rely on a few facts. It can become unwieldy if your hierarchy is large or you need to test values for many nodes at once. In these cases, you should use one of the other options below.

JSON and YAML Scopes

Rather than passing a list of variables to Hiera as command line arguments, you can use JSON and YAML files. You can construct these files yourself, or use a YAML file retrieved from Puppet’s cache or generated with facter --yaml.

Given this command using command line variable assignments:

$ hiera ntp_server osfamily=Debian timezone=CST

Note: For Puppet, facts are top-scope variables, so their fully-qualified form is $::fact_name. When called from within Puppet, Hiera will correctly interpolate %{::fact_name}. However, Facter’s command-line output doesn’t follow this convention — top-level facts are simply called fact_name. That means you’ll run into trouble in this section if you have %{::fact_name} in your hierarchy.

The following YAML and JSON examples provide equivalent results:

Example YAML Scope

$ hiera ntp_server -y facts.yaml

# facts.yaml
"::osfamily": Debian
"::timezone": CST

Example JSON Scope

$ hiera ntp_server -j facts.json

// facts.json
  "::osfamily" : "Debian",
  "::timezone" : "CST"


If you’re using Hiera from a user account that is allowed to issue MCollective commands, you can ask any node running MCollective to send you its facts. Hiera will then use those facts to drive the lookup.

To do this, use the -m or --mcollective flag and give it the name of an MCollective node as an argument:

$ hiera ntp_server -m balancer01.example.com

Note that you must be running the Hiera command from a user account that is authorized and configured to send MCollective commands, and is also able to read the Hiera configuration and data files.

Puppet Enterprise Example

In Puppet Enterprise 2.x or 3.x, you can do Hiera lookups with MCollective by switching to the peadmin account on the puppet master server, which is authorized to issue orchestration commands.

# sudo -iu peadmin
$ hiera ntp_server -m balancer01.example.com

Make sure that the peadmin user is allowed to read the Hiera config and data files.

Inventory Service

If your puppet master is connected to a PuppetDB server (or has the older ActiveRecord inventory service enabled), you can get Hiera lookups using the actual facts reported by an actual puppet agent node. This goes through Puppet’s inventory service API.

To do this, use the -i or --inventory_service flag and give it the name of a Puppet node as an argument:

$ hiera ntp_server -i balancer01.example.com

Note: Known Bug With Puppet 3.x

In Hiera 1.3 and earlier, inventory lookups will fail when Puppet 3.x is present. This is a bug in Hiera, which will be fixed in a future release.

Allowing Lookups on the Puppet Master

Before you can do Hiera lookups via the inventory, you’ll need to enable access in the puppet master’s auth.conf file. You must ensure that the node you will be doing lookups from can call the find method on the /facts path. This will probably look something like this:

path  /facts
method find, search
auth yes
allow pe-internal-dashboard, puppet.example.com

When choosing the name and certificate to use when contacting the puppet master, Hiera uses the existing puppet.conf and agent certificate on the node. If you are running as root, it will impersonate the agent node you are running on; if you are running as another user, it will use configuration and credentials in ~/.puppet/ instead.

To run as a different user, you may need to request a separate certificate, since the master won’t sign two certificates with the same certname. To do this:

  1. Create a ~/.puppet/puppet.conf file and set the certname setting to something unique.
  2. Run puppet agent --test to request a certificate.
  3. On the puppet master, sign the certificate.
  4. Run puppet agent --test again.

Lookup Types

By default, the Hiera command line tool will use a priority lookup, which returns a single value — the first value found in the hierarchy. There are two other lookup types available: array merge and hash merge.

Array Merge

An array merge lookup assembles a value by merging every value it finds in the hierarchy into a flattened array of unique values. See “Array Merge Lookup” for more details.

Use the --array option to do an array merge lookup.

If any of the values found in the data sources are hashes, the --array option will cause Hiera to return an error.


A hash merge lookup assembles a value by merging the top-level keys of each hash it finds in the hierarchy into a single hash. See “Hash Merge Lookup” for more details.

Use the --hash option to do a hash merge lookup.

If any of the values found in the data sources are strings or arrays, the --hash option will cause Hiera to return an error.

↑ Back to top