Skip to main content

Chef Infra Language: Secrets

[edit on GitHub]

The Secrets Management Integration helper is a beta feature starting in Chef Infra Client 17.5 and became a fully supported feature in Chef Infra Client 18. This helper allows you to access secrets from the following secrets management systems within your Infra recipes or resources:

  • AWS Secrets Manager
  • Akeyless Vault
  • Azure Key Vault
  • HashiCorp Vault

Secrets Manager Support

AWS Secrets Manager

The secrets helper supports fetching secrets from AWS Secrets Manager from IAM roles applied to instances.

Fetching an AWS Secrets Manager secret 

secret(name: 'test1', service: :aws_secrets_manager)

Specifying the AWS Region containing the secret 

secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })

Akeyless Vault

The secrets helper supports fetching secrets from Akeyless Vault using Akeyless’ access key and access id.

Fetching Secrets From Akeyless Vault Using Access Key/ID 

secret(name: '/secret/data/my_secret',
       service: :akeyless_vault,
       config: {
         access_key: '12345678910=',
         access_id: 'p-12345678910'
      })

Azure Key Vault

The secrets helper supports fetching secrets from Akeyless Vault using Akeyless’ access key and access id.

Fetching Secrets From Azure Key Vault 

secret(name: 'vault-name/test-secret-1', service: :azure_key_vault)

Fetching a specific version of an Azure Key Vault secret 

secret(name: 'vault-name/test1', version: 'v1', service: :azure_key_vault)

HashiCorp Vault

Fetching Secrets From HashiCorp Vault Using AWS IAM 

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        role_name: 'example-role'
      })

Fetching Secrets From HashiCorp Vault Using Tokens 

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :token,
        token: '123456'
      })

Fetching Secrets From HashiCorp Vault Using AppRole Authentication

Fetching secret data using an AppRole ID and an associated AppRole Secret ID:

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_id: "11111111-abcd-1111-abcd-111111111111",
        approle_secret_id: "22222222-abcd-2222-abcd-222222222222"
      })

Fetching secret data using a token and an AppRole name creates a Secret ID associated with that AppRole:

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_name: "my-approle",
        token: '123456'
      })

Using in Cookbooks

The secrets helper returns a text string, so it can be used anywhere in Chef Infra where you might hard code a value or access a value from a data bag.

Writing a Secret To a File 

file '/home/ubuntu/aws-secret' do
  content secret(name: 'test1', service: :aws_secrets_manager)
end

Passing a Secret to a Template 

template '/etc/my_fancy_service/my_fancy_service.conf' do
  source 'config.erb'
  variables(
    db_token: secret(name: 'db_token', service: :aws_secrets_manager)
  )
end

Was this page helpful?

×









Search Results