[chef] variables not rendering in a chef template

hiya. i'm having some trouble with rendering some variables in a chef
template. not only do i need help on this specific problem, but i'd also
appreciate feedback on my style of solving the issue of distributing ec2
credentials in a secure, elegant manner.

there are 2 kinds of items i want to render in the template: one comes
from an encrypted data bag, the other comes from an attributes setting.
it's the latter that is giving me fits.

first, the template looks like so:

#!/bin/bash
#
# Generated by Chef for <%= node[:fqdn] %>
# Environment: <%= node[:environment] %> .. <-- blank til i fix it
# User: <%= @grab_user %>
#
export AWS_ACCESS_KEY_ID="<%= @aws_access_key_id %>"
export AWS_SECRET_ACCESS_KEY="<%= @aws_secret_access_key %>"
export AWS_x509_CERT="<% node[:aws][:aws_x509_cert_path] %>"
export AWS_x509_KEY="<% node.aws.aws_x509_key_path %>"
export AWS_ACCOUNT_ID="<%= @aws_account_id %>"


the rendered file looks like this:


 
 ]# cat /etc/ec2/credz 
#!/bin/bash
#
# Generated by Chef for admin4.dev.nosopa.com
# Environment:  .. <-- blank til i fix it
# User: root
#
export AWS_ACCESS_KEY_ID="rootaccesskeyderpderpderp"
export AWS_SECRET_ACCESS_KEY="rootsecretkeyderpderpderp"
export AWS_x509_CERT=""
export AWS_x509_KEY=""
export AWS_ACCOUNT_ID="7776-6666-5150"


missing are values for AWS_x509_CERT and AWS_x509_KEY. 

as an aside, environment isn't rendering. how do i get that to render?

[chef-repo]$ knife node show admin4.dev.nosopa.com | grep ^Env
Environment: dev


i'm setting the values for AWS_x509_CERT and AWS_x509_KEY in this attributes 
file:

chef-repo/site-cookbooks/aws-test/attributes/default.rb looks like so:
default[:aws_x509_cert_path] = "/etc/ec2/certs/servercert.pem"
default[:aws_x509_key_path] = "/etc/ec2/certs/privatekey.pem"

but these values aren't rendering.

for the heck of it i've tried different syntatic styles, to no avail. are 
both of the below correct and equivalent?

export AWS_x509_CERT="<% node[:aws_x509_cert_path] %>"
export AWS_x509_KEY="<% node.aws_x509_key_path %>"

in the recipe, i tried setting these as variables within the template
resource, to no avail (see the note in the recipe).


and finally, the recipe that ties it together:

#
# Cookbook Name:: aws-test
# Recipe:: aws-creds
#
# TODO: pem files need to be distributed .. in an encrypted data bag?

if node[:ec2][:userdata] =~ /-e dev/
  aws_creds = Chef::EncryptedDataBagItem.load("hush","aws-creds-dev")
elsif node[:ec2][:userdata] =~ /-e prod/
  aws_creds = Chef::EncryptedDataBagItem.load("hush","aws-creds-prod")
end

# TODO: is there a better way to determine which user ID to use?
if node[:ec2][:userdata] =~ /-r admin/
  grab_access = "ROOT_AWS_ACCESS_KEY_ID"
  grab_secret = "ROOT_AWS_SECRET_ACCESS_KEY"
  grab_user   = "root"
else
  grab_access = "DORQ_AWS_ACCESS_KEY_ID"
  grab_secret = "DORQ_AWS_SECRET_ACCESS_KEY"
  grab_user   = "dorq"
end
grab_account = "AWS_ACCOUNT_ID"

directory "/etc/ec2" do
  action :create
  mode 0700
  owner "root"
  group "root"
end

directory "/etc/ec2/certs" do
  action :create
  mode 0700
  owner "root"
  group "root"
end

template "/etc/ec2/credz" do
  source "aws-creds.erb"
  mode 0600
  owner "root"
  group "root"
  variables(:aws_access_key_id => aws_creds["#{grab_access}"],
            :aws_secret_access_key => aws_creds["#{grab_secret}"],
            :aws_account_id => aws_creds["#{grab_account}"],
            :grab_user => "#{grab_user}")
end
# i also tried placing these within the above variable set:
#            :aws_x509_cert_path => node[:aws_x509_cert_path],
#            :aws_x509_key_path => node[:aws_x509_key_path],
# then tried accessing them in the template like so, but to no avail:
# export AWS_x509_CERT="<% @aws_x509_cert_path %>"
# export AWS_x509_KEY="<% @aws_x509_key_path %>"



thanks!
kallen