New admin user and vault


#1

How do I enable a new admin user added to my chef server to refresh existing vault secrets?

While trying knife vault refresh with the new userid I’m getting the following error:
ERROR: ChefVault::Exceptions::SecretDecryption: flintstones/fred is not encrypted with your public key. Contact an administrator of the vault item to encrypt for you!

While creating new secret should I add --admin user1,user2 ?

Thanks,
Gibu


#2

Short answer: You have to update all vaults that the new admin should have access to. So use a current admin and call “knife vault update --admins=one,two,three,new_admin”

More details: Chef DataBags are always static JSON files, so each vault is encrypted for all given admins and all nodes the --search returns at the time of creation/update. You can have a look at the *_keys DataBag items. In there it is statically defined which admins and nodes should have access to the Vault. After the “knife vault udpate…” the _keys item for your vault should include the new admin.
If you want even more detail you could read the THEORY: https://github.com/chef/chef-vault/blob/master/THEORY.md


#3

Thanks

–gibu