General discussion about Chef

[chef] Re: Re: Re: Re: Re: encrypted databag question


Chronological Thread 
  • From: Maven User < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Re: encrypted databag question
  • Date: Fri, 21 Oct 2011 18:25:33 -0400
I was thinking more along the lines of something like:

Chef::Config[:encrypted_data_bag_secret "C:/chef/encrypted_data_bag_secret"]

Is there no way to explicitly set the chef config objects/values from inside a recipe?

If I do read in the contents of the file (like you suggest below) I get the same bad decrypt error.

I tried several other options (like using a file object instead and passing in the path result) and keep getting the same bad decrypt error.

On Fri, Oct 21, 2011 at 6:01 PM, Matthew Moretti < "> > wrote:
Well, I haven't tried it (and I'm by no means an expert), but you could use the a combination of that 3rd option and file IO, I guess.

secret = IO.read("C:/chef/secret")

mysql_creds = Chef::EncryptedDataBagItem.load("passwords", "mysql", secret)

Something in the back of my mind says there's a problem with what I'm suggesting, but I can't quite put my finger on it. I suspect that there should be a way to use the Chef libraries to read the data in from a cookbook file directly.  Does anybody else have any thoughts?

-Matt


On Fri, Oct 21, 2011 at 5:36 PM, Maven User < " target="_blank"> > wrote:
Well, that worked, but I'm not sure I'm really jazzed by that solution.

I was able to update my client.rb file to point to the exact file the secret was in and it worked.

But, what if different cookbooks have different secret files?

Either way, the secret file isn't bad/borked...

So is there a way to set the default in the recipe or is it too late by then?


On Fri, Oct 21, 2011 at 5:25 PM, Matthew Moretti < " target="_blank"> > wrote:
I'm pretty sure that the 3rd argument is actually the encryption secret itself (see slightly higher up in the same file)  If you want to use a file location other than the default, I think you're supposed to say so in your chef config.

-Matt Moretti

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen < " target="_blank"> > wrote:
Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:
https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User < " target="_blank"> > wrote:
> Hi all -
>
> In the example on the opscode wiki,
> http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there's an example
> on how to point to a non-standard place for your secret file:
>
> mysql_creds = Chef::EncryptedDataBagItem.load("passwords", "mysql", secret)
>
>
> I'm struggling a bit with the "secret" in the above statement.  From what I
> can tell, that can be a path (string) to the place where the secret file
> is.  But for the life of me, I can't seem to get that to click.  I keep
> getting a "bad decrypt" stacktrace.
>
> Is that supposed to be a path or the contents of the file?
>
> Any suggestions?
>
>





Archive powered by MHonArc 2.6.16.

§