This cookbook aims to ease chef-vault
interaction by providing additional helpers, and testing the functionality on a Linux and Windows box.
More info about chef-vault
: https://github.com/chef-cookbooks/chef-vault
Let us say you are using a cookbook that requires you to set a password in an attribute. This attribute is usually set in a wrapper cookbook which includes the original cookbook. By including this cookbook as well, you can set the attribute in the wrapper cookbook's attribute file like this:
secret['cookbook']['password'] = chef_vault_item_or_default('vault', 'item')
This will set the attribute default['cookbook']['password']
to the item
from the vault
. It will also set the attribute to SECRET
at the end of the Chef run, therefore ensuring that the Chef Server will not contain the password in plaintext. If the item in the vault does not exist it will fail.
If you would like to default to a value in a testing environment, you can do:
fallback = Mash.new({ key: 'fallback' }) if ENV['TEST_KITCHEN'] || defined?(ChefSpec) || Chef::Config[:local_mode]
secret['cookbook']['password'] = chef_vault_item_or_default('vault', 'item', fallback)
# use it anywhere with node['cookbook']['password']['key']
Note that a chef-vault item will always be a hash, so it may be better to set the fallback to a similar hash as well.
Accessing many secrets on high latency links can be very long.
chef_vault_item_or_default
helper is able to cache for a few hours decrypted value on chef cache.
Call it with chef_vault_item_or_default('vault', 'item', fallback, true)
.
Cached entry has a TTL set randomly between 1 and 12 hours. This is to avoid refreshing all secrets at the same time (defeating the purpose of having caching).
Secret attributes are node attributes that are available only during the Chef run, but set to SECRET
when saved and uploaded to the Chef Server. These attributes are actually default node attributes set through a helper method, so you may access them as you would access any default node attribute.
Set a secret in cookbook attributes:
secret['cookbook']['password'] = 'SuperSecretPassword'
Read it anywhere like a default node attribute:
Chef::Log.info("This is my password: #{node['cookbook']['password']}")
Note: Please don't accidentally save your secrets in the Chef log file :)
When called with this syntax
secret['cookbook']['password'] = 'SuperSecretPassword'
actually calls
chef_secret_attribute_set(['cookbook', 'password'], 'SuperSecretPassword')
which in turn sets
default['cookbook']['password'] = 'SuperSecretPassword'
and will be cleared at the end by
chef_secret_attribute_clear(['cookbook', 'password'])
which sets
default['cookbook']['password'] = 'SECRET'
Get an item from the vault, or default to value if if the vault or item does not exist. If the default value is not specified, it will fail the Chef run.
chef_vault_item_or_default('vault', 'item', 'default')
Return true if item is a vault item. Note that unlike ChefVault::Item.vault?
, this method returns false if the data bag does not exist.
chef_vault_item_is_vault?('vault', 'item')