/azure_keyvault

Azure Key Vault integration for Chef

Primary LanguageRubyApache License 2.0Apache-2.0

Azure Key Vault Chef Cookbook

Description

This is a fork of the azure-cookbook, paired down to only support Azure Key Vault (AKV). This reduces dependancies, making the cookbook easier to support and forces it to do one thing well. This cookbook allows Chef users the option to use Azure Key Vault as a main secret store instead of Chef encrypted data bags. The library has also been refactored to use the official Azure SDK for Ruby.

Requirements

  • Create an Azure Key Vault: You'll need to create a vault in Azure. Either in the portal or CLI. I recommend creating a vault just for your Chef secrets, instead of reusing one being used for other purposes.
  • Create a principal to access your Vault: You'll need to create an Azure principal or Identity and provide permissions to it. (see below)

Azure Credentials

Reasonable options include:

You'll need to ensure that appropriate permissions are granted to your Keyvault once created.

I've created a short tutorial on this subject here:

In order to access the Azure Key Vault via Service Principal, authentication credentials need to be available to the node. Since it's bad practice to store credentials in code (such as directly in an attribute, or recipe), I suggest either:

  • Storing the secret in a Chef encrypted data bag
  • Storing the secret in a protected file much like the Chef encrypted_data_bag_secret file used to access Chef encrypted data bags.

Recipes

default.rb

The default recipe installs the azure Ruby gem, which this cookbook requires in order to work with the Azure API. Make sure that the azure_keyvault recipe is in the node or role run_list before any resources from this cookbook are used.

"run_list": [
  "recipe[azure_keyvault]"
]

The gem_package is created as a Ruby Object and thus installed during the Compile Phase of the Chef run.

Helpers

akv_vault_secret

This helper will allow you to retrieve a secret from an azure keyvault. If you don't provide an spn, akv_get_secret will assume you're using an Managed Service Identity.

spn = {
  'tenant_id' => '11e34-your-tenant-id-1232',
  'client_id' => '11e34-your-client-id-1232',
  'secret' => 'your-client-secret'
}

super_secret = akv_get_secret(<vault_name>, <secret_name>, spn)

# Write the secret to a file:
file '/etc/config_file' do
  content "password = #{super_secret}"
end

License and Author

Copyright (c) Microsoft Open Technologies, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.