- From: Juanje Ojeda Croissier <
>
- To:
- Subject: [chef] Re: how to prevent chef logging secrets
- Date: Wed, 23 May 2012 17:52:11 +0100
Hi,
On Tue, May 22, 2012 at 11:28 PM,
<
>
wrote:
>
>
hi. is there any way around this? a better way to do it all together?
>
>
my cookbook sets up a mysql DB. it sets the root password by drawing the
>
password creds out of an encrypted data bag. that's great cuz those
>
secrets are kept secret. but when "assign-root-password" is executed,
>
chef logs at INFO level the command it's running, including the
>
string interpolated value of the password :\
>
>
>
$ knife data bag show secrets --secret-file ~/path/to/secret_key mysql-creds
>
id: mysql-creds
>
pass: ehMAHgawd
>
user: root
>
>
>
recipe:
>
>
mysql_creds = Chef::EncryptedDataBagItem.load("secrets","mysql-creds")
>
>
execute "assign-root-password" do
>
command "#{node['mysql']['mysqladmin_bin']} -u root password
>
\"#{mysql_creds['pass']}\""
>
action :run
>
only_if "#{node['mysql']['mysql_bin']} -u root -e 'show databases;'"
>
end
>
>
>
logs, le meh:
>
>
[Tue, 22 May 2012 04:04:33 +0000] DEBUG: Processing
>
execute[assign-root-password] on mah-host
>
[Tue, 22 May 2012 04:04:33 +0000] INFO: Processing
>
execute[assign-root-password] action run (okta-mysql::dev-server line 38)
>
[Tue, 22 May 2012 04:04:33 +0000] DEBUG: sh(/usr/bin/mysql -u root -e 'show
>
databases;')
>
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password]
>
sh(/usr/bin/mysqladmin -u root password "ehMAHgawd")
>
[Tue, 22 May 2012 04:04:34 +0000] INFO: execute[assign-root-password] ran
>
successfully
>
>
I think you can't do much using the execute resource, but for this
particular case, probably you could use the database cookbook with
provides you of some nice resources for manage this kind of stuff:
https://github.com/opscode-cookbooks/database#examples
I believe this resourse doesn't show the secret data.
I hope this helps.
Cheers
--
Juanje
http://about.me/juanje
Archive powered by MHonArc 2.6.16.