What is the best practice for storing password and API keys with Chef? It's really tempting to store database passwords, AWS api keys, and other sensitive credentials as Chef Server Attributes for use in recipes -- but what about security considerations? What's the best practice for this?
Chef Vault includes knife plugins to allow you to manage the secrets from your workstation, uploading them to the Chef Server just like normal data bags. The secrets themselves live in Data Bags on the Chef Server. The “bag” is called the “vault” for chef-vault.
Users. If you need to add a new admin user, run knife vault update with the vault name, the encrypted item within the vault, and -A flag, and the user's username on the Chef Server. This will encrypt a new copy of the shared secret with the user's key on the Chef Server.
From the #chef IRC channel, many people store this kind of data in a data bag on the chef server.
For example, a data bag might be 'aws', with an item 'main', referring to the primary AWS account. Separate keys in the item would be for each particular value. E.g.:
{ "id": "main", "aws_secret_key": "The secret access key", "aws_access_key": "The access key" }
You may also be interested in encrypted data bags. I wrote about them in more detail for managing postfix SASL authentication.
Update: I've written blog posts about Chef Vault on my blog and sysadvent.
This question is old and has no accepted answer, however, the correct answer to this question is that Chef allows the use of Encrypted Data Bags for storing sensitive data in Data Bags.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With