In a blog post about Chef Vault, Nell edited the article with the following:
NOTE: After posting this, I received feedback that searching for nodes using the -S tag can be insecure. This is because any node which has been compromised can potentially fake its own data and be picked up by the search. If this happens, the next time someone runs knife vault refresh, the compromised node could be illicitly given decryption access.
The secrets I'm planning on storing are going to be unique per node so operating with the least-privilege mindset, nodeA should generate a secret that can only be accessed by AdminUser and nodeA and nodeB should generate a secret that can only be accessed by AdminUser and nodeB.
To that end, I'm trying to figure out how to accomplish securing against a compromised node being included on a search. In the recipe, I have code like this:
chef_vault_secret "set-secret" do id "#{node['hostname']}-secret" data_bag vault_name admins vault_admins # search "name:#{node.name}" raw_data('key' => value) action :create end
When using chef_vault_secret
without a search
specified, the Chef server interprets the search to be *:*
.
When I go to the Chef server, manually edit the JSON and delete the search_query field (or set it to []
which sets it to null
), I get this error:
ERROR: knife encountered an unexpected error This may be a bug in the 'vault refresh' knife command or plugin Please collect the output of this command with the
-VV option before filing a bug report. Exception: NameError: undefined local variable or method 'vault' for #<ChefVault::Item:0x007fa8ffa87960>
Setting the search_query to ':'
is invalid, and I can't think of anything else that would negate the search.
I'm not sure what the blog post would be suggesting to do to not search. Any ideas?