---
title: "Puppet Integration - Cloudsmith"
description: "Use Cloudsmith with Puppet to serve secure, GPG-signed private packages to your infrastructure nodes. Native apt and yum support, flexible authentication, and full audit trails."
canonical_url: "https://cloudsmith.com/product/integrations/puppet"
last_updated: "2026-05-07T10:59:44Z"
---
# Puppet Integration - Cloudsmith

## Automate package delivery with **Puppet** and Cloudsmith

Puppet gives your teams declarative, code-driven control over infrastructure configuration. Pair it with Cloudsmith to serve private Debian and RPM packages directly to your Puppet-managed nodes, with secure authentication, GPG-signed repositories, and full audit trails baked in.

## How we support **Puppet**

Cloudsmith gives your Puppet manifests a secure, reliable source of truth for every package your infrastructure depends on. From Debian to RPM, private or public, Cloudsmith fits natively into your existing Puppet workflow.

[Read our Puppet documentation](https://docs.cloudsmith.com/integrations/integrating-with-puppet)

### Native Debian repository support

Cloudsmith repositories work as native apt sources. Use the Puppet apt module to configure GPG keys and sources directly in your manifests, with no custom scripts required.

### Flexible authentication

Authenticate Puppet agents against Cloudsmith using API keys or OIDC. Create dedicated service accounts for bot and automation use cases, keeping credentials isolated and independently revocable.

### GPG-signed packages

Every Cloudsmith repository ships with a GPG key you can wire directly into your Puppet manifest, ensuring agents only install packages with verified provenance.

### Fast, reliable package delivery

Cloudsmith's CDN-backed infrastructure with 600+ edge points of presence ensures your Puppet agents can pull packages quickly, regardless of where your nodes are deployed.

### Full audit trails and observability

Client and audit logs give you a complete record of every package request made by your Puppet agents, so you can trace exactly what was installed, when, and from which node.

## Why teams integrate Cloudsmith with **Puppet**

Without a managed artifact registry, Puppet deployments rely on fragile, public package sources that can change without warning. Cloudsmith gives every node a stable, secure, and auditable supply of packages.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Puppet manifests point directly at public repositories. An upstream change, outage, or package removal breaks your catalog runs mid-deployment, with no way to pin or roll back. | Cloudsmith serves as a private, immutable mirror of every package your manifests depend on. Upstream changes never reach your nodes until you decide they should. |

| There is no consistent authentication layer across Puppet agents. Teams share credentials in plain text inside manifests or rely on open, unauthenticated repositories. | Cloudsmith entitlement tokens give each node or team scoped, revocable access to exactly the repositories they need, with no credentials baked into your manifest code. |

| Package downloads have no audit trail. When a compliance audit arrives, there is no record of which node installed what, or when - leaving gaps in your software supply chain. | Cloudsmith logs every package request with node-level detail. You get a full, queryable audit trail that satisfies compliance requirements without any additional tooling. |

## Frequently asked questions

### What package formats does Cloudsmith support for use with Puppet?

Cloudsmith supports Debian (apt) and RedHat (yum/dnf) repositories natively, which are the most common formats used with Puppet. Both public and private repositories are supported, and Puppet's official apt and yum modules can configure them directly from your manifests.

### How do Puppet agents authenticate against a private Cloudsmith repository?

Cloudsmith supports API keys and OIDC-based authentication. For automated Puppet agents and bots, create dedicated service accounts with scoped API keys so credentials are isolated and independently revocable. OIDC removes the need to store long-lived secrets entirely.

### How do I set up GPG key verification in my Puppet manifest?

Cloudsmith generates a GPG signing key for each repository. In your Puppet manifest, use the apt::key resource with the 20-byte fingerprint and the key URL provided in the Cloudsmith repository settings. This ensures all packages installed on your nodes are cryptographically verified before installation.

### Can I use Cloudsmith with Puppet to manage packages across a large fleet of nodes?

Yes. Cloudsmith's cloud-native infrastructure is built to scale without you managing any underlying hardware. Its CDN-backed delivery with 600+ edge points of presence ensures consistent, low-latency downloads for Puppet agents regardless of where your nodes are geographically located.

### Does Cloudsmith provide visibility into which packages Puppet agents have downloaded?

Yes. Cloudsmith's client logs capture every package request, including the requesting node, timestamp, package version, and authentication method used. These logs are queryable and exportable, giving your team full traceability across your Puppet-managed infrastructure.
