Chef Vault Item not encrypted with your public key, on node

Chef Infra (archive)
1

Unfortunately I’ve posted this around and I can’t seem to find a solution. I’m trying to store encrypted credentials for user creation Chef Vault and then deploy the cookbook to the node I want the user created on. I’m fairly new to Chef and even newer to Chef Vault so I aplogize if this is an obvious answer.

Using Chef version 12.13.37

Using chef-vault cookbook 2.1.1

Initially created the vault with

knife vault create ftp users \ '{"user":"password"}' \ --search 'name:my_node_name' \ --admins bk0155 \ --mode client

Output of knife vault show ftp users gives

id:             users
user: password

My recipe has this in it:

include_recipe 'chef-vault'
vault = ChefVault::Item.load("ftp", "users")
user 'testuser' do
      comment 'Test User Account'
      home '/home/testuser'
      shell '/sbin/bash'
      group 'testusers'
      password vault['user']
end

And the error I’m getting is

 ChefVault::Exceptions::SecretDecryption
 ---------------------------------------
 ftp/users is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!

 Cookbook Trace:
 ---------------
 /var/chef/cache/cookbooks/ftp_test/recipes/default.rb:10:in 
 `from_file'


/var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:347:in `load_recipe'

  Relevant File Content:
  ----------------------
  /var/chef/cache/cookbooks/ftp_test/recipes/default.rb:

    3:  # Recipe:: default
    4:  #
    5:  # Copyright:: 2017, The Authors, All Rights Reserved.
    6:  #
    7:
    8:  include_recipe 'chef-vault'
    9:
   10>> vault = ChefVault::Item.load("ftp", "users")
   11:

I’ve tried doing
knife update ftp users -S 'name:my_node_name' -M client to update but that doesn’t seem to help

Doing a knife data bag show ftp users_keys gives:

WARNING: Unencrypted data bag detected, ignoring any provided secret options.
admins:
  bk0155
  my_node_name
my_node_name: fqkwg0098mpbDiJKFCsBEoMLiyN0kZLksiZpWwoxepr6lUgBMFGkJvSpkoGf
3ZwZt8PG2keNe9RYQ93rvgRBKGhLwP46lvDMLO78CEBPfSV5S2mYoe7B7mBb
NFhHPmWkXX2IhaL6TkLvvjATVqBEuUbeqtDb7HO5XOSTuBHacovQxEJerHmA
dXWBsPgs/GPnsu8xK3BNLHjvyVJ3ovaYkvCTxdFTWvDfb8184jC9rJX882Op
XCeGhZ3I5BPXDmNi5XW7EAPgjtbqgxIGPZwYHrrEcZji4TMKxnc6O5+9rPB/
/j4mM/QEL5zGtTeeluzmX+wSE605p9KwGAqsLpUn/g==

clients:                  my_node_name
id:                       users_keys
bk0155:                 mDsML41veFJclX0yXVMqYGvW52uRnZRtQTrRl1XTddgUJc0N9RR1qnyk0gxC
07jKkN+AsdkFuMoOGr7UcUCo/1MEsL125CvsSevOGOF9QMvUk67xw8Q+OlP0
4vqmvJNyaxeXxVV7FOVJSTC2ytovStD2WaSshZutNhG+EgIZ0zSOivHHryW+
aFyClqjVIA3Sm7ITuEyheqBJZZntpHhK1a4Gwk1V3T9aJZ3OT5vvFtNzppnx
CerZvQjPdthwmrqbKfMmYG3KmsPUPEMsAHxK8ryw8Sntu/MYechWzUTGYDii
gcuhehwUCgb+6LAM66ygiIqxcpZ3qg2ddcSUbo5V0g==

search_query:             name:my_node_name

I have also tried knife vault rotate keys and am still getting the same error.

2

Have you tried?

vault = chef_vault_item('ftp', 'users')
3

I have, same error is presented.

4

Bump.
Any help on this would be greatly appreciated. This is blocking me from moving forward with other aspects of the cookbook. I’ve posted the same error on Stackoverflow with no answers either.

5

You get the exact same error after adding the clients?

6

That’s correct. I’ve been adding them by searching using node name.

7

First delete the credentials using

knife data bag show VAULT ITEM_keys [--user=USER]
# keep track of --admins
knife data bag delete VAULT ITEM_keys [-C CLIENT] [--user=USER]
knife data bag delete VAULT ITEM [-C CLIENT] [--user=USER]

Now you are good to create however you may want to supply [--admins=]