This is an example of using other secrets management tools instead of Chef encrypted data bags or Chef Vault.
For Azure, I've forked the azure_keyvault cookbook to azure_keyvault cookbook.
A kitchen.azure.yml
file has been added with Lifecycle Hooks which create an Azure Key Vault for testing purposes.
It is intended to add example libraries for other secrets management tools, initially also AWS Secrets Manager.
A kitchen.aws.yml
file has been added with Lifecycle Hooks which create a secret in AWS Secrets Manager for testing purposes, with example IAM instance profile creation.
- Create an Azure Key Vault: You'll need to create a vault in Azure. Either in the portal or CLI. I recommend creating a vault just for your Chef secrets, instead of reusing one being used for other purposes.
- Create a principal to access your Vault: You'll need to create an Azure principal or Identity and provide permissions to it. (see below)
Reasonable options include:
- A Managed Identity for an Azure VM
- Once created, you'll need a programatic way to assign the VM access to your Azure Key Vault resource
- A service principal which can be created with the Azure CLI
You'll need to ensure that appropriate permissions are granted to your Keyvault once created. Short tutorial on this subject:
In order to access the Azure Key Vault via Service Principal, authentication credentials need to be available to the node. Since it's bad practice to store credentials in code (such as directly in an attribute, or recipe), I suggest either:
- Storing the secret in a Chef encrypted data bag
- Storing the secret in a protected file much like the Chef
encrypted_data_bag_secret
file used to access Chef encrypted data bags.
This helper will allow you to retrieve a secret from an azure keyvault.
spn = {
'tenant_id' => '11e34-your-tenant-id-1232',
'client_id' => '11e34-your-client-id-1232',
'secret' => 'your-client-secret'
}
# Write the secret to a file:
file '/etc/config_file' do
content lazy { "password = #{akv_get_secret(vault: <vault_name>, secret: <secret_name>, spn: spn)}" }
end
If you don't provide an spn, akv_get_secret
will assume you're using an Managed Service Identity.
# Write the secret to a file:
file '/etc/config_file' do
content lazy { "password = #{akv_get_secret(vault: <vault_name>, secret: <secret_name>)}" }
end
When using a user-assigned Managed Identity only one of client_id
, object_id
or msi_res_id
must be provided.
user_assigned_msi = {
'client_id' => '11e34-your-client-id-1232'
}
# user_assigned_msi = {
# 'object_id' => '11e34-your-object-id-1232'
# }
# user_assigned_msi = {
# 'msi_res_id' => '11e34-your-msi-res-id-1232'
# }
# Write the secret to a file:
file '/etc/config_file' do
content lazy { "password = #{akv_get_secret(vault: <vault_name>, secret: <secret_name>, user_assigned_msi: user_assigned_msi)}" }
end
This helper will allow you to retrieve a secret from AWS Secrets Manager. It assumes the EC2 instance has an IAM instance profile that allows it access.
# Write the secret to a file:
file '/etc/config_file' do
content lazy { "password = #{get_aws_secret(<secret_name>, <region_name>)}" }
end
- Author:: Jeff Mendoza (jemendoz@microsoft.com)
- Author:: Andre Elizondo (andre@chef.io)
- Author:: Kris Zentner (krisz@microsoft.com)
Copyright (c) Microsoft Open Technologies, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.