Vault UPDATE fails when vault item is created without any ADMINS specified about chef-vault HOT 12 CLOSED

You need to specify at least one admin (the admin who will update it next time) in order to be able to modify the vault item permissions and content in the future. This can be a user or any client key.

Unfortunately, as far as I know, chef doesn't provide a way to search users using groups, so what you're suggesting isn't possible. That said, this may have changed and I could be completely wrong. :)

Either way, if the churn of people supporting this is that high, it sounds to me like a better fit for this would be a standard encrypted data bag.

from chef-vault.

Thanks mate for a prompt reply. If I specify a client key (e.g node) instead of user does that mean data bag can only be updated by running knife commands from that particular client not user workstation ?

from chef-vault.

For sure, happy to help.

Not sure if that'll work, certainly worth a shot? Is your idea to have a "management" system of sorts that would be able to update the data? You could always have a user on the management system that people could use to execute the knife vault commands.

from chef-vault.

Kind of. What I'm thinking is to have the same list of client keys specified as ADMINS as the list of nodes specified in search query which can decrypt the data.

That means if node1, and node2 can decrypt the databag, anyone with access to these nodes be able to run knife commands from those nodes only.

This almost solves my problem as we have different group of people having access to different hosts in different environments.

I won't go for a single management server aa I don't wont non-prod team be able to view prod secret data.

from chef-vault.

(Plz ignore any typos, I'm on iPhone)

from chef-vault.

I think if you're going to use the same clients for access and admins, you should just use an encrypted data bag.

Beyond that, if using that client private key works, you'll need to have a custom knife.rb that uses the client key that people will need to remember/know to use. Seems pretty messy.

from chef-vault.

You are right, would need to keep a version of knife.rb per node.

Reason we went away from standard encrypted data bag was maintenace of shared secret key. You have to upload secret key to respective nodes and anyone wanting to update data bag needs to have that key.

Now it seems we need to maintain versions of knife.rb ...

We can specify client client key with knife command, versions of knife.rb can be avoided if we can specify node_name with knife cimmand

from chef-vault.

Sounds reasonable. Let me know how it goes!

from chef-vault.

How did this go for you, @techish1?

from chef-vault.

That worked!!!!
Here's the command I use from my node to show the encrypted data bag items.

knife vault show DATA_BAG_NAME DATA_BAG_ITEM_NAME -k /etc/chef/MY_NODE_KEY.pem --mode client -F json -u MY_NODE_NAME
(substitute your own values in place of upper case text)

knife vault update DATA_BAG_NAME DATA_BAG_ITEM_NAME '{"username": "root", "password": "mypassword"}' -k /etc/chef/MY_NODE_KEY.pem --mode client -u MY_NODE_NAME

As I'm providing node name (with -u switch) in above command I don't need to maintain different versions of knfie.rb. Only thing my knife.rb contains is "chef_server_url" which is common to all my nodes.

"-u " option in knife command is equal to "node_name" property in knife.rb

from chef-vault.

This certainly solved my problem! As long as someone has access to a particular client (node), he/she should be able to access data bag item if he himself is not in the list of admins.

from chef-vault.

Closing the issue based on the fact that you must provide at least one admin in --ADMINS, so admins seems to be a mandatory parameter.

from chef-vault.