[chef] Re: Re: AWS Security Groups

[George Miranda < >]

Managing secrets is hard and Chef is not a magic pony.  "Infrastructure as Code" simply exposes a number of pain points felt by the security community for years and obscured by the fact that most people manually handle authentication with passphrases typed in or some sort of multi-factor method handled manually.

For more background on challenges/options, check out great coverage on this in a Foodfight favorite from last year:

http://foodfightshow.org/2013/07/secret-chef.html

On Mon, Nov 17, 2014 at 12:46 PM, Douglas Garstang < " target="_blank"> > wrote:

Seems like 'infrastructure as code' has a ways to go.

On Mon, Nov 17, 2014 at 12:44 PM, Eric Herot < " target="_blank"> > wrote:

Chef Vault does address one of the earlier concerns you raised about the scalability of mass-distributing keys to use for decrypting data bags.  Instead it uses the client keys on the individual nodes to encrypt separate copies of your data bag item (one for each host that’s allowed to access it).  That way you don’t have to worry (much) about key management, and access to the data is not universal (like it is with normal encrypted data bags, which were invented mainly as a way to not store sensitive data in source control).