Class: Chef::SecretFetcher

Inherits:
Object
  • Object
show all
Defined in:
lib/chef/secret_fetcher/base.rb,
lib/chef/secret_fetcher.rb,
lib/chef/secret_fetcher/example.rb,
lib/chef/secret_fetcher/hashi_vault.rb,
lib/chef/secret_fetcher/akeyless_vault.rb,
lib/chef/secret_fetcher/azure_key_vault.rb,
lib/chef/secret_fetcher/aws_secrets_manager.rb

Overview

Note:

':region' is required configuration. If it is not explicitly provided,

Chef::SecretFetcher::AWSSecretsManager

A fetcher that fetches a secret from AWS Secrets Manager In this initial iteration it defaults to authentication via instance profile. It is possible to pass options that configure it to use alternative credentials. This implementation supports fetching with version.

and it is not available via global AWS config, we will pull it from node ohai data by default. If this isn't correct, you will need to explicitly override it. If it is not available via ohai data either (such as if you have the AWS plugin disabled) then the converge will fail with an error.

@note: This does not yet support automatic retries, which the AWS client does by default.

For configuration options see docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecretsManager/Client.html#initialize-instance_method

Usage Example:

fetcher = SecretFetcher.for_service(:aws_secrets_manager) fetcher.fetch(“secretkey1”, “v1”)

Defined Under Namespace

Classes: AKeylessVault, AWSSecretsManager, AzureKeyVault, Base, Example, HashiVault

Constant Summary collapse

SECRET_FETCHERS =
%i{example aws_secrets_manager azure_key_vault hashi_vault akeyless_vault}.freeze
SUPPORTED_AUTH_TYPES =

Chef::SecretFetcher::HashiVault

A fetcher that fetches a secret from Hashi Vault.

Does not yet support fetching with version when a versioned key store is in use. In this initial iteration the only supported authentication is IAM role-based

Required config: :auth_method - one of :iam_role, :token. default: :iam_role :vault_addr - the address of a running Vault instance, eg vault.example.com:8200

For `:approle`: one of `:approle_name` or `:approle_id`

`:approle_name`: The name of the approle to use for authentication.  When specified, associated `:approle_id` will be found via query to Vault instance.
`:approle_id`: The ID of the approle to use for authentication, requires `:approle_secret_id`
`:approle_secret_id`: The Vault `secret_id` associated with the provided `:approle_name` or `:approle_id`.  When specified, prevents need to create `:secret_id` with `:approle_name`.

For `:token` auth: `:token` - a Vault token valid for authentication.

For `:iam_role`: `:role_name` - the name of the role in Vault that was created to support authentication via IAM. See the Vault documentation for details. A Terraform example is also available

1

www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy

2

registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth

an IAM principal ARN bound to it.

Optional config :namespace - the namespace under which secrets are kept. Only supported in with Vault Enterprise

fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :iam_role, role_name: “testing-role”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)

fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: “s.1234abcdef”, vault_addr: localhost:8200}, approle: 'approle_name', run_context ) fetcher.fetch(“secretkey1”)

fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_id: “11111111-abcd-1111-abcd-111111111111”, approle_secret_id: “22222222-abcd-2222-abcd-222222222222”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)

fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_name: “testing-role”, token: “s.1234abcdef”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)

%i{approle iam_role token}.freeze
AKEYLESS_VAULT_PROXY_ADDR =

Chef::SecretFetcher::AKeylessVault

A fetcher that fetches a secret from AKeyless Vault. Initial implementation is based on HashiVault , because AKeyless provides a compatibility layer that makes this possible. Future revisions will use native akeyless authentication.

Required config: :access_id - the access id of the API key :access_key - the access key of the API key

fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: “my-access-id”, access_key: “my-access-key” }, run_context ) fetcher.fetch(“/secret/data/secretkey1”)

"https://hvp.akeyless.io".freeze

Class Method Summary collapse

Class Method Details

.for_service(service, config, run_context) ⇒ Object

Returns a configured and validated instance of a [Chef::SecretFetcher::Base] for the given service and configuration.

Parameters:

  • service (Symbol)

    the identifier for the service that will support this request. Must be in SECRET_FETCHERS

  • config (Hash)

    configuration that the secrets service requires

  • run_context (Chef::RunContext)

    the run context this is being invoked from


34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/chef/secret_fetcher.rb', line 34

def self.for_service(service, config, run_context)
  fetcher = case service
            when :example
              require_relative "secret_fetcher/example"
              Chef::SecretFetcher::Example.new(config, run_context)
            when :aws_secrets_manager
              require_relative "secret_fetcher/aws_secrets_manager"
              Chef::SecretFetcher::AWSSecretsManager.new(config, run_context)
            when :azure_key_vault
              require_relative "secret_fetcher/azure_key_vault"
              Chef::SecretFetcher::AzureKeyVault.new(config, run_context)
            when :hashi_vault
              require_relative "secret_fetcher/hashi_vault"
              Chef::SecretFetcher::HashiVault.new(config, run_context)
            when :akeyless_vault
              require_relative "secret_fetcher/akeyless_vault"
              Chef::SecretFetcher::AKeylessVault.new(config, run_context)
            when nil, ""
              raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS)
            else
              raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS)
            end
  fetcher.validate!
  fetcher
end