[chef] using multiple keys to read different encrypted databags on the same node


Chronological Thread 
  • From: Bryan Berry < >
  • To:
  • Subject: [chef] using multiple keys to read different encrypted databags on the same node
  • Date: Wed, 2 Nov 2011 19:24:04 +0100

I have the use case where I have certain secrets that all my machines need access to, say the password that our lousy backup software uses, and other secrets that only certain machines need access to, such as the the username and password that a GIS application uses to access the database.

I hacked together a little solution. Does anyone else find this useful?

It requires having the following value in your client.rb

encrypted_data_bag_secret_path  "/some/path/"


encrypted_data_bag_item.rb
+       def self.load_alt_key(data_bag, name, secret_file)
+     path = "data/#{data_bag}/#{name}"
+     raw_hash = Chef::DataBagItem.load(data_bag, name)
+               if Chef::Config[:encrypted_data_bag_secret_path] and secret_file
+                       secret_file = Chef::Config[:encrypted_data_bag_secret_path] + '/' + secret_file 
+               else 
+                       raise ArgumentError, "Invalid secret_file or encrypted_data_bag_secret_path"
+               end
+     secret = self.load_secret(secret_file)
+     self.new(raw_hash, secret)
+   end



  • [chef] using multiple keys to read different encrypted databags on the same node, Bryan Berry, 11/02/2011

Archive powered by MHonArc 2.6.16.

§