Chef vault for all admins?


#1

Hi,
in our organisation we’d like all admins to be able to edit all chef vaults.

Right now, every single time we create a vault item, we have to add all admins, and if a new admin joins the team, we have to update all vault items.

I frankly think that the vast majority of organisations using Chef and Chef Vault are in the same situation, and this should be the default behaviour.

While I can (with some effort) imagine a situation in which some secrets should not be known by all team members, I must note that admins can override cookbooks, which means that you cannot really prevent an admin from knowing such secrets if they want to.

Was there a discussion about the current default behaviour, in which only the creator of an item can read it? Am I missing some counter arguments?


#2

as you probably know it doesn’t seem like its something thats currently supported. And while useful (like many other things) it has to be in the right priority etc for implementation.

I use it and i face similar issues… but it is what it is… as you said the workaround (really not that bad) is to explicitly set the list of admins (which is what i do for vaults) so it’s not as if there is no way around it.

But there is some chef-vault 3.0 stuff in the works just not sure what all is in there right now.


#3

We use git to hold all of our vaults which when stored in git are encrypted with git-crypt. The uploading to our chef servers are completed by our CI/CD pipeline which uses its own GPG Key for decryption and then its own Chef PEM file to upload to the chef server via knife vault commands. No one actually edits or creates vaults on the Chef Server for our team.