Class: Chef::SecretFetcher
- Inherits:
-
Object
- Object
- Chef::SecretFetcher
- Defined in:
- lib/chef/secret_fetcher/base.rb,
lib/chef/secret_fetcher.rb,
lib/chef/secret_fetcher/example.rb,
lib/chef/secret_fetcher/hashi_vault.rb,
lib/chef/secret_fetcher/akeyless_vault.rb,
lib/chef/secret_fetcher/azure_key_vault.rb,
lib/chef/secret_fetcher/aws_secrets_manager.rb
Overview
‘:region’ is required configuration. If it is not explicitly provided,
Chef::SecretFetcher::AWSSecretsManager
A fetcher that fetches a secret from AWS Secrets Manager In this initial iteration it defaults to authentication via instance profile. It is possible to pass options that configure it to use alternative credentials. This implementation supports fetching with version.
and it is not available via global AWS config, we will pull it from node ohai data by default. If this isn’t correct, you will need to explicitly override it. If it is not available via ohai data either (such as if you have the AWS plugin disabled) then the converge will fail with an error.
@note: This does not yet support automatic retries, which the AWS client does by default.
For configuration options see docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecretsManager/Client.html#initialize-instance_method
Usage Example:
fetcher = SecretFetcher.for_service(:aws_secrets_manager) fetcher.fetch(“secretkey1”, “v1”)
Defined Under Namespace
Classes: AKeylessVault, AWSSecretsManager, AzureKeyVault, Base, Example, HashiVault
Constant Summary collapse
- SECRET_FETCHERS =
%i{example aws_secrets_manager azure_key_vault hashi_vault akeyless_vault}.freeze
- SUPPORTED_AUTH_TYPES =
Chef::SecretFetcher::HashiVault
A fetcher that fetches a secret from Hashi Vault.
Does not yet support fetching with version when a versioned key store is in use. In this initial iteration the only supported authentication is IAM role-based
Required config: :auth_method - one of :iam_role, :token. default: :iam_role :vault_addr - the address of a running Vault instance, eg vault.example.com:8200
For ‘:approle`: one of `:approle_name` or `:approle_id`
`:approle_name`: The name of the approle to use for authentication. When specified, associated `:approle_id` will be found via query to Vault instance. `:approle_id`: The ID of the approle to use for authentication, requires `:approle_secret_id` `:approle_secret_id`: The Vault `secret_id` associated with the provided `:approle_name` or `:approle_id`. When specified, prevents need to create `:secret_id` with `:approle_name`.For ‘:token` auth: `:token` - a Vault token valid for authentication.
For ‘:iam_role`: `:role_name` - the name of the role in Vault that was created to support authentication via IAM. See the Vault documentation for details. A Terraform example is also available
- 1
-
www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy
- 2
-
registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth
an IAM principal ARN bound to it.
Optional config :namespace - the namespace under which secrets are kept. Only supported in with Vault Enterprise
fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :iam_role, role_name: “testing-role”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)
fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: “s.1234abcdef”, vault_addr: localhost:8200}, approle: ‘approle_name’, run_context ) fetcher.fetch(“secretkey1”)
fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_id: “11111111-abcd-1111-abcd-111111111111”, approle_secret_id: “22222222-abcd-2222-abcd-222222222222”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)
fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :approle, approle_name: “testing-role”, token: “s.1234abcdef”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)
%i{approle iam_role token}.freeze
- AKEYLESS_VAULT_PROXY_ADDR =
Chef::SecretFetcher::AKeylessVault
A fetcher that fetches a secret from AKeyless Vault. Initial implementation is based on HashiVault , because AKeyless provides a compatibility layer that makes this possible. Future revisions will use native akeyless authentication.
Required config: :access_id - the access id of the API key :access_key - the access key of the API key
fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: “my-access-id”, access_key: “my-access-key” }, run_context ) fetcher.fetch(“/secret/data/secretkey1”)
"https://hvp.akeyless.io".freeze
Class Method Summary collapse
-
.for_service(service, config, run_context) ⇒ Object
Returns a configured and validated instance of a [Chef::SecretFetcher::Base] for the given service and configuration.
Class Method Details
.for_service(service, config, run_context) ⇒ Object
Returns a configured and validated instance of a [Chef::SecretFetcher::Base] for the given service and configuration.
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# File 'lib/chef/secret_fetcher.rb', line 34 def self.for_service(service, config, run_context) fetcher = case service when :example require_relative "secret_fetcher/example" Chef::SecretFetcher::Example.new(config, run_context) when :aws_secrets_manager require_relative "secret_fetcher/aws_secrets_manager" Chef::SecretFetcher::AWSSecretsManager.new(config, run_context) when :azure_key_vault require_relative "secret_fetcher/azure_key_vault" Chef::SecretFetcher::AzureKeyVault.new(config, run_context) when :hashi_vault require_relative "secret_fetcher/hashi_vault" Chef::SecretFetcher::HashiVault.new(config, run_context) when :akeyless_vault require_relative "secret_fetcher/akeyless_vault" Chef::SecretFetcher::AKeylessVault.new(config, run_context) when nil, "" raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS) else raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS) end fetcher.validate! fetcher end |