Comments (12)
You need to specify at least one admin (the admin who will update it next time) in order to be able to modify the vault item permissions and content in the future. This can be a user or any client key.
Unfortunately, as far as I know, chef doesn't provide a way to search users using groups, so what you're suggesting isn't possible. That said, this may have changed and I could be completely wrong. :)
Either way, if the churn of people supporting this is that high, it sounds to me like a better fit for this would be a standard encrypted data bag.
from chef-vault.
Thanks mate for a prompt reply. If I specify a client key (e.g node) instead of user does that mean data bag can only be updated by running knife commands from that particular client not user workstation ?
from chef-vault.
For sure, happy to help.
Not sure if that'll work, certainly worth a shot? Is your idea to have a "management" system of sorts that would be able to update the data? You could always have a user on the management system that people could use to execute the knife vault commands.
from chef-vault.
Kind of. What I'm thinking is to have the same list of client keys specified as ADMINS as the list of nodes specified in search query which can decrypt the data.
That means if node1, and node2 can decrypt the databag, anyone with access to these nodes be able to run knife commands from those nodes only.
This almost solves my problem as we have different group of people having access to different hosts in different environments.
I won't go for a single management server aa I don't wont non-prod team be able to view prod secret data.
from chef-vault.
(Plz ignore any typos, I'm on iPhone)
from chef-vault.
I think if you're going to use the same clients for access and admins, you should just use an encrypted data bag.
Beyond that, if using that client private key works, you'll need to have a custom knife.rb that uses the client key that people will need to remember/know to use. Seems pretty messy.
from chef-vault.
You are right, would need to keep a version of knife.rb per node.
Reason we went away from standard encrypted data bag was maintenace of shared secret key. You have to upload secret key to respective nodes and anyone wanting to update data bag needs to have that key.
Now it seems we need to maintain versions of knife.rb ...
We can specify client client key with knife command, versions of knife.rb can be avoided if we can specify node_name with knife cimmand
from chef-vault.
Sounds reasonable. Let me know how it goes!
from chef-vault.
How did this go for you, @techish1?
from chef-vault.
That worked!!!!
Here's the command I use from my node to show the encrypted data bag items.
knife vault show DATA_BAG_NAME DATA_BAG_ITEM_NAME -k /etc/chef/MY_NODE_KEY.pem --mode client -F json -u MY_NODE_NAME
(substitute your own values in place of upper case text)
knife vault update DATA_BAG_NAME DATA_BAG_ITEM_NAME '{"username": "root", "password": "mypassword"}' -k /etc/chef/MY_NODE_KEY.pem --mode client -u MY_NODE_NAME
As I'm providing node name (with -u switch) in above command I don't need to maintain different versions of knfie.rb. Only thing my knife.rb contains is "chef_server_url" which is common to all my nodes.
"-u " option in knife command is equal to "node_name" property in knife.rb
from chef-vault.
This certainly solved my problem! As long as someone has access to a particular client (node), he/she should be able to access data bag item if he himself is not in the list of admins.
from chef-vault.
Closing the issue based on the fact that you must provide at least one admin in --ADMINS, so admins seems to be a mandatory parameter.
from chef-vault.
Related Issues (20)
- Handling race conditions when bootstrapping multiple nodes HOT 1
- knife vault on windows 10 fails due to ERROR: Chef::Exceptions::InvalidDataBagPath HOT 1
- rotate keys with --clean-unknown-clients also cleans known clients HOT 2
- Feature Request: Allow knife vault commands to be executed on .json files
- knife vault : Problem escaping string in JSON HOT 3
- cucumber tests are failing on windows
- Syntax errors in vault_admins.rb HOT 1
- Does the latest version of the gem support autoscaling ?
- Impossible to store SSL/SSH private Key in vault HOT 9
- chef-vault command not returning any results HOT 3
- Can't create chef vault items in solo mode HOT 1
- Gemspec gives incorrect Ruby version being supported with "rescue in blocks" syntax being used HOT 2
- Faulty regex and usage of to_s triggers unwanted warning HOT 2
- "Item itemname_keys not found in data bag databagname", while I try to create a new vault with newer versions of Chef Workstation HOT 8
- knife vault doesn't support ssh_agent_signing HOT 3
- ERROR: ChefVault::Exceptions::SecretDecryption: is encrypted for you, but your private key failed to decrypt the contents. (if you regenerated your client key, have an administrator of the vault run 'knife vault refresh') HOT 3
- RSA paddings
- add support for client_key_contents HOT 1
- Do chef vault have any c# library to read the secret data
- No longer able to refresh when search_query is empty
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chef-vault.