chef / 17.9.18 / infra_language / secrets / index.html /

Chef Infra Language: Secrets

[edit on GitHub]

Chef Infra Client 17.5 and later includes a beta Secrets Management Integration helper. This helper allows accessing secrets from the following secrets management systems within your Infra recipes or resources:

  • AWS Secrets Manager
  • Akeyless Vault
  • Azure Key Vault
  • HashiCorp Vault

Note

This helper is a beta release. It is under active development and may change. We welcome your feedback at [email protected].

Secrets Manager Support

AWS Secrets Manager

The secrets helper supports fetching secrets from AWS Secrets Manager from IAM roles applied to instances.

Fetching an AWS Secrets Manager secret

secret(name: 'test1', service: :aws_secrets_manager)

Specifying the AWS Region containing the secret

secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })

Akeyless Vault

The secrets helper supports fetching secrets from Akeyless Vault using Akeyless' access key and access id.

Fetching Secrets From Akeyless Vault Using Access Key/ID

secret(name: '/secret/data/my_secret',
       service: :akeyless_vault,
       config: {
         access_key: '12345678910=',
         access_id: 'p-12345678910'
      })

Azure Key Vault

The secrets helper supports fetching secrets from Akeyless Vault using Akeyless' access key and access id.

Fetching Secrets From Azure Key Vault

secret(name: 'vault-name/test-secret-1', service: :azure_key_vault)

Fetching a specific version of an Azure Key Vault secret

secret(name: 'vault-name/test1', version: 'v1', service: :azure_key_vault)

HashiCorp Vault

Fetching Secrets From HashiCorp Vault Using AWS IAM

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        role_name: 'example-role'
      })

Fetching Secrets From HashiCorp Vault Using Tokens

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :token,
        token: '123456'
      })

Fetching Secrets From HashiCorp Vault Using AppRole Authentication

Fetching secret data using an AppRole ID and an associated AppRole Secret ID:

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_id: "11111111-abcd-1111-abcd-111111111111",
        approle_secret_id: "22222222-abcd-2222-abcd-222222222222"
      })

Fetching secret data using a token and an AppRole name creates a Secret ID associated with that AppRole:

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_name: "my-approle",
        token: '123456'
      })

Using in Cookbooks

The secrets helper returns a text string, so it can be used anywhere in Chef Infra where you might hard code a value or access a value from a data bag.

Writing a Secret To a File

file '/home/ubuntu/aws-secret' do
  content secret(name: 'test1', service: :aws_secrets_manager)
end

Passing a Secret to a Template

template '/etc/my_fancy_service/my_fancy_service.conf' do
  source 'config.erb'
  variables(
    db_token: secret(name: 'db_token', service: :aws_secrets_manager)
  )
end

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/infra_language/secrets/

Name Chef
Version
Badge
Last Updated 2021-12-27T16:38:12Z