- From: AJ Christensen <
>
- To:
- Subject: [chef] Re: Re: using knife.rb attributes in a recipe
- Date: Fri, 5 Oct 2012 09:34:28 +1300
Yo!
I'd like to suggest that you make use of the AWS Cloudformation and
IAM system(s) and a "host keys" implementation.
Using CloudFormation, IAM and some policy, you can have keys generated
for each machine at construction time with those keys having specific
access to resources defined in AWS (defined by CloudFormation)
We've been using this model for one of our clients with great success
-- we have one "awscredentials" cookbook that parses the file dropped
off by CloudFormation during stack creation. We have some tooling
around CloudFormation to build the JSON template from a Ruby DSL. I
hope to see this open sourced in the medium-term future.
Plus side: you get free key rotation when you smash/re-roll boxen.
This has proven to be more effective than manually managing key
rotation to long-running AWS infrastructure and is easily designed
around.
Cheers,
AJ
On 5 October 2012 05:28, Michael Della Bitta
<
>
wrote:
>
Osvaldo,
>
>
Just a thought: It might be an antipattern to assume that the creds
>
you launch instances with will be the same as the ones you want on
>
your server for it to do things. IAM allows you to issue credentials
>
that are locked down to specific tasks (i.e., an EC2 instance might
>
not be allowed to create more EC2 instances), and you might want to
>
deploy those to your instances instead, or even deploy different ones
>
depending on the server's role.
>
>
We're storing our credentials in a data bag and propagating them that
>
way, so it will be easy to change them out should we have to.
>
>
Michael Della Bitta
>
>
------------------------------------------------
>
Appinions
>
18 East 41st Street, 2nd Floor
>
New York, NY 10017-6271
>
>
www.appinions.com
>
>
Where Influence Isn’t a Game
>
>
>
On Thu, Oct 4, 2012 at 12:21 PM, O. T. Suarez
>
<
>
>
wrote:
>
> Hi,
>
>
>
> Attributes stored in the knife.rb file (like the AWS Cloud
>
> Credentials), on the chef workstation, can be used while bootstraping
>
> a node.
>
> Does anyone knows how to use knife.rb attributes in a recipe?
>
> Is that even possible?
>
>
>
> this whole thing came up while trying to find a way to make the
>
> encrypted databag secret key available to the recipes using something
>
> like chef::config properties (chef::config['knife'] actually, but I
>
> couldn't make it work), to avoid having to scp the key file or keeping
>
> it on the chef client host (security considerations are not an issue,
>
> just the technical challenge of whether or not this can be done ;).
>
>
>
> Regards,
>
> Osvaldo
Archive powered by MHonArc 2.6.16.