Hello,
I’m using encrypted data bags in one of my cookbooks. I have the secret key
stored in another secure network location that nodes can access as needed.
I’d like to have the recipe retrieve the secret key, use it, and then
delete the key on the node when finished. I’m having trouble getting those
steps to happen in the proper order and while I understand why, I haven’t
been able to find a satisfactory solution. The point is to avoid letting
the key sit unused on the node.
When the server is first provisioned, I put a dummy key at
/etc/chef/encrypted_data_bagsecret so that load_secret doesn’t fail when
trying to find it. In my cookbook I have something like:
Bash “pull-key” do
code <<-EOH
Rename dummy key
Copy the real key from network location to local file system
EOH
end
key =
Chef::EncryptedDataBagItem.load_secret(“/etc/chef/encrypted_data_bag_secret”)
db_secrets = Chef::EncryptedDataBagItem.load(“passwords”, “database”, key)
db_pass = db_secrets[“db_pass”]
. . .
Bash “pull-key” do
code <<-EOH
Delete real key
Rename dummy back
EOH
end
The EncryptedDataBagItem.load line passes fine, but accessing the bag is
where I’m stuck. Chef wants to decrypt the bag with the real key and assign
the variable before the real key has even been copied to the node. I
thought about using another tool like Jenkins or something to first
initiate a copy of the key and then trigger chef-client, but that breaks my
automation process. Is it possible to somehow force the copy to happen
before data bag is accessed?