Apparently there's no way to set this rather simple configuration item in the Palo Alto standard supported configuration format. This seems incredibly lame. Why is there not parity of functionality between XML and Set CLI syntax? If there isn't, then shouldn't automation tools like boostrapping support both formats?
To answer your question a bit more directly, the secret is hashed with the master key and the XML file won't accept a cleartext value (well it will, but it will then treat it as a hash value) and the only way to know the hash value would be to utilize it in the configuration and then share the same master key across all devices.
I have environments that share the same master key for simplicity in configuration (not recommended) and they've deemed the risk is low enough they are willing to accept any issues. This would be something you would need to bring up with leadership and see if they view it worth the risk of all devices sharing a master key.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!