/gr_secrets

Secrets Management Chef Cookbook

Primary LanguageRubyApache License 2.0Apache-2.0

Secrets Management Chef Cookbook

Description

This is an example of using other secrets management tools instead of Chef encrypted data bags or Chef Vault.

For Azure, I've forked the azure_keyvault cookbook to azure_keyvault cookbook.

A kitchen.azure.yml file has been added with Lifecycle Hooks which create an Azure Key Vault for testing purposes.

It is intended to add example libraries for other secrets management tools, initially also AWS Secrets Manager.

A kitchen.aws.yml file has been added with Lifecycle Hooks which create a secret in AWS Secrets Manager for testing purposes, with example IAM instance profile creation.

Azure Requirements

  • Create an Azure Key Vault: You'll need to create a vault in Azure. Either in the portal or CLI. I recommend creating a vault just for your Chef secrets, instead of reusing one being used for other purposes.
  • Create a principal to access your Vault: You'll need to create an Azure principal or Identity and provide permissions to it. (see below)

Azure Credentials

Reasonable options include:

You'll need to ensure that appropriate permissions are granted to your Keyvault once created. Short tutorial on this subject:

In order to access the Azure Key Vault via Service Principal, authentication credentials need to be available to the node. Since it's bad practice to store credentials in code (such as directly in an attribute, or recipe), I suggest either:

  • Storing the secret in a Chef encrypted data bag
  • Storing the secret in a protected file much like the Chef encrypted_data_bag_secret file used to access Chef encrypted data bags.

Helpers

akv_get_secret

This helper will allow you to retrieve a secret from an azure keyvault.

Using SPN:

spn = {
  'tenant_id' => '11e34-your-tenant-id-1232',
  'client_id' => '11e34-your-client-id-1232',
  'secret' => 'your-client-secret'
}

# Write the secret to a file:
file '/etc/config_file' do
  content lazy { "password = #{akv_get_secret(vault: <vault_name>, secret: <secret_name>, spn: spn)}" }
end

Using system-assigned Managed Identity:

If you don't provide an spn, akv_get_secret will assume you're using an Managed Service Identity.

# Write the secret to a file:
file '/etc/config_file' do
  content lazy { "password = #{akv_get_secret(vault: <vault_name>, secret: <secret_name>)}" }
end

Using user-assigned Managed Identity:

When using a user-assigned Managed Identity only one of client_id, object_id or msi_res_id must be provided.

user_assigned_msi = {
  'client_id' => '11e34-your-client-id-1232'
}
# user_assigned_msi = {
#   'object_id' => '11e34-your-object-id-1232'
# }
# user_assigned_msi = {
#   'msi_res_id' => '11e34-your-msi-res-id-1232'
# }

# Write the secret to a file:
file '/etc/config_file' do
  content lazy { "password = #{akv_get_secret(vault: <vault_name>, secret: <secret_name>, user_assigned_msi: user_assigned_msi)}" }
end

get_aws_secret

This helper will allow you to retrieve a secret from AWS Secrets Manager. It assumes the EC2 instance has an IAM instance profile that allows it access.

# Write the secret to a file:
file '/etc/config_file' do
  content lazy { "password = #{get_aws_secret(<secret_name>, <region_name>)}" }
end

License and Author

Copyright (c) Microsoft Open Technologies, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.