Skip to main content

Chef Infra Language: Secrets

The Secrets Management Integration helper is a beta feature starting in Chef Infra Client 17.5 and became a fully supported feature in Chef Infra Client 18. This helper allows you to access secrets from the following secrets management systems within your Infra recipes or resources:

  • AWS Secrets Manager
  • Akeyless Vault
  • Azure Key Vault
  • HashiCorp Vault

Secrets Manager Support

AWS Secrets Manager

The secrets helper supports fetching secrets from AWS Secrets Manager from IAM roles applied to instances.

Fetching an AWS Secrets Manager secret

secret(name: 'test1', service: :aws_secrets_manager)

Specifying the AWS Region containing the secret

secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })

Akeyless Vault

The secrets helper supports fetching secrets from Akeyless Vault using Akeyless’ access key and access ID.

Fetching Secrets From Akeyless Vault Using Access Key/ID

secret(name: '/secret/data/my_secret',
       service: :akeyless_vault,
       config: {
         access_key: '12345678910=',
         access_id: 'p-12345678910'
      })

Azure Key Vault

The secrets helper supports fetching secrets from Azure Key Vault.

Fetching Secrets From Azure Key Vault

secret(name: 'vault-name/test-secret-1', service: :azure_key_vault)

Fetching a specific version of an Azure Key Vault secret

secret(name: 'vault-name/test1', version: 'v1', service: :azure_key_vault)

HashiCorp Vault

Fetching Secrets From HashiCorp Vault Using AWS IAM

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        role_name: 'example-role'
      })

Fetching Secrets From HashiCorp Vault Using Tokens

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :token,
        token: '123456'
      })

Fetching Secrets From HashiCorp Vault Using AppRole Authentication

Fetching secret data using an AppRole ID and an associated AppRole Secret ID:

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_id: "11111111-abcd-1111-abcd-111111111111",
        approle_secret_id: "22222222-abcd-2222-abcd-222222222222"
      })

Fetching secret data using a token and an AppRole name creates a Secret ID associated with that AppRole:

secret(name: 'secret/example',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_name: "my-approle",
        token: '123456'
      })

Using in Cookbooks

The secrets helper returns a text string, so it can be used anywhere in Chef Infra where you might hard code a value or access a value from a data bag.

Writing a Secret To a File

file '/home/ubuntu/aws-secret' do
  content secret(name: 'test1', service: :aws_secrets_manager)
end

Passing a Secret to a Template

template '/etc/my_fancy_service/my_fancy_service.conf' do
  source 'config.erb'
  variables(
    db_token: secret(name: 'db_token', service: :aws_secrets_manager)
  )
end
Edit this page on GitHub

Thank you for your feedback!

×









Search Results