Chef Attributes Node updates

I have application cookbook that has a password attribute of [‘cookbook’][‘password’].

I then have an environment cookbook that sets the value within the attributes. I know what to swap this out to set the underlying password from a data bag or chef-vault but i don’t want [‘cookbook’][‘password’] to be updated with the password value.

If i use node.default[‘cookbook’][‘password’] within a recipe does that mean it won’t be updated on the chef-server node object? If not how to i make sure that the attribute with the password then doesn’t get exposed when setting of passwords in wrapped cookbooks

Hello stonesbg,

I think you’ve answered your own question? For passwords and secrets you should use

  • Chef-Vault
  • Encrypted data bags
  • Hashicorp Vault
  • Other similar secure key store

I wouldn’t recommend putting the secret value in a role or environment as an attribute override.

However, if you want something temporal during the Chef converge you can use run_state, i.e. node.run_state[‘some_key’] = value.

Alternatively, if you DO have something in your attributes and don’t want the value to be sent back to the Chef server you can use attribute whitelisting

Or attribute blacklisting (there is a cookbook but it’s basically removing the attribute from node)

Hope I’ve understood the question and this helps.

I don’t think that answers my full question.

So i have an application cookbook and a wrapper cookbook.

The application cookbook has the attribute set as default[‘cookbook’][‘password’] = nil.

In the wrapper cookbook i am specify the attribute value default[‘cookbook’][‘password’] = “blue” within the attributes\default.rb. This then causes this attribute value to be exposed through the chef UI in the attributes node object.

If I set the value within the recipe instead of the attributes files does this then update the nodes object so that password is visible? or is the only way to hide these from the ui and “knife node show” cli is the whitelist/blacklist attributes.

Reason being I am trying to avoid having to change underlying cookbooks to embed them with reading from a databag or chef-vault. I want to let whoever wants the cookbook specify the way they want to store the passwords

Don’t assign the password to a node attribute. Do the vault get/lookup in a recipe directly where you need or store it in a normal variable in the recipe.