Chef Infra Client 17.5 and later includes a beta Secrets Management Integration helper. This helper allows accessing secrets from the following secrets management systems within your Infra recipes or resources:
Note
The secrets helper supports fetching secrets from AWS Secrets Manager from IAM roles applied to instances.
secret(name: 'test1', service: :aws_secrets_manager)
secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })
The secrets helper supports fetching secrets from Akeyless Vault using Akeyless' access key and access id.
secret(name: '/secret/data/my_secret',
service: :akeyless_vault,
config: {
access_key: '12345678910=',
access_id: 'p-12345678910'
})
The secrets helper supports fetching secrets from Akeyless Vault using Akeyless' access key and access id.
secret(name: 'vault-name/test-secret-1', service: :azure_key_vault)
secret(name: 'vault-name/test1', version: 'v1', service: :azure_key_vault)
secret(name: 'secret/example',
service: :hashi_vault,
config: {
vault_addr: 'vault.example.com',
role_name: 'example-role'
})
secret(name: 'secret/example',
service: :hashi_vault,
config: {
vault_addr: 'vault.example.com',
auth_method: :token,
token: '123456'
})
Fetching secret data using an AppRole ID and an associated AppRole Secret ID:
secret(name: 'secret/example',
service: :hashi_vault,
config: {
vault_addr: 'vault.example.com',
auth_method: :approle,
approle_id: "11111111-abcd-1111-abcd-111111111111",
approle_secret_id: "22222222-abcd-2222-abcd-222222222222"
})
Fetching secret data using a token and an AppRole name creates a Secret ID associated with that AppRole:
secret(name: 'secret/example',
service: :hashi_vault,
config: {
vault_addr: 'vault.example.com',
auth_method: :approle,
approle_name: "my-approle",
token: '123456'
})
The secrets helper returns a text string, so it can be used anywhere in Chef Infra where you might hard code a value or access a value from a data bag.
file '/home/ubuntu/aws-secret' do
content secret(name: 'test1', service: :aws_secrets_manager)
end
template '/etc/my_fancy_service/my_fancy_service.conf' do
source 'config.erb'
variables(
db_token: secret(name: 'db_token', service: :aws_secrets_manager)
)
end
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/infra_language/secrets/