diff --git a/lib/puppet/functions/vault_lookup/lookup.rb b/lib/puppet/functions/vault_lookup/lookup.rb
index f748d65..5106cb9 100644
--- a/lib/puppet/functions/vault_lookup/lookup.rb
+++ b/lib/puppet/functions/vault_lookup/lookup.rb
@@ -2,9 +2,21 @@
   dispatch :lookup do
     param 'String', :path
     optional_param 'String', :vault_url
+    optional_param 'Boolean', :raise_exceptions
   end
 
-  def lookup(path, vault_url = nil)
+  def lookup(path, vault_url = nil, raise_exceptions = true)
+    _lookup(path, vault_url)
+  rescue StandardError => e
+    raise if raise_exceptions
+
+    Puppet.err(e.message)
+    nil
+  end
+
+  private
+
+  def _lookup(path, vault_url)
     if vault_url.nil?
       Puppet.debug 'No Vault address was set on function, defaulting to value from VAULT_ADDR env value'
       vault_url = ENV['VAULT_ADDR']
@@ -38,8 +50,6 @@ def lookup(path, vault_url = nil)
     Puppet::Pops::Types::PSensitiveType::Sensitive.new(data)
   end
 
-  private
-
   def get_auth_token(connection)
     response = connection.post('/v1/auth/cert/login', '')
     unless response.is_a?(Net::HTTPOK)
diff --git a/spec/functions/lookup_spec.rb b/spec/functions/lookup_spec.rb
index 415647e..6081abe 100644
--- a/spec/functions/lookup_spec.rb
+++ b/spec/functions/lookup_spec.rb
@@ -64,6 +64,13 @@
     }.to raise_error(Puppet::Error, %r{No vault_url given and VAULT_ADDR env variable not set})
   end
 
+  it 'returns nil instead of raising when raising is disabled' do
+    expect {
+      result = function.execute('/v1/whatever', 'vault.docker', false)
+      expect(result).to be(nil)
+    }.not_to raise_error
+  end
+
   it 'raises a Puppet error when auth fails' do
     connection = instance_double('Puppet::Network::HTTP::Connection', address: 'vault.doesnotexist')
     expect(Puppet::Network::HttpPool).to receive(:http_instance).and_return(connection)