Class: Chef::SecretFetcher::HashiVault
- Defined in:
- lib/chef/secret_fetcher/hashi_vault.rb
Direct Known Subclasses
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
-
#do_fetch(identifier, _version) ⇒ Hash
be the full path of that secret, eg 'secret/example'.
-
#validate! ⇒ Object
Validate and authenticate the current session using the configured auth strategy and parameters.
Methods inherited from Base
Constructor Details
This class inherits a constructor from Chef::SecretFetcher::Base
Instance Method Details
#do_fetch(identifier, _version) ⇒ Hash
be the full path of that secret, eg 'secret/example'
125 126 127 128 129 130 |
# File 'lib/chef/secret_fetcher/hashi_vault.rb', line 125 def do_fetch(identifier, _version) result = Vault.logical.read(identifier) raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil? result.data end |
#validate! ⇒ Object
Validate and authenticate the current session using the configured auth strategy and parameters
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 |
# File 'lib/chef/secret_fetcher/hashi_vault.rb', line 76 def validate! if config[:vault_addr].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr") end Vault.address = config[:vault_addr] Vault.namespace = config[:namespace] unless config[:namespace].nil? case config[:auth_method] when :approle unless config[:approle_name] || config[:approle_id] raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name or :approle_id in the configuration with :auth_method set to :approle") end # When :approle_id and :approle_secret_id are both specified, all pieces are present which are needed to authenticate using an approle. # If either is missing, we need to authenticate to Vault to get the missing pieces with the :approle_name and optionally :token. unless config[:approle_id] && config[:approle_secret_id] if config[:approle_name].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name in the configuration when :approle_id and :approle_secret_id are not both present with :auth_method set to :approle") end Vault.token = config[:token] unless config[:token].nil? end approle_id = config[:approle_id] || Vault.approle.role_id(config[:approle_name]) approle_secret_id = config[:approle_secret_id] || Vault.approle.create_secret_id(config[:approle_name]).data[:secret_id] Vault.auth.approle(approle_id, approle_secret_id) when :token if config[:token].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token") end Vault.auth.token(config[:token]) when :iam_role, nil if config[:role_name].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name") end Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address) else raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ") end end |