Uploading pem files to S3 from chef cookbook

My chef server is provisioned with a chef cookbook - ‘chef-server’. The cookbook also deals with all the extra configuration required for the server to work without any additional manual configuration.

The challange is to pass the user and organization pem files to the chef workstation. One idea came into my mind, is to upload the pem files to S3 and download them from the Chef workstation (my MacBook laptop).

Any other solutions?


This is probably okay as long as you’re not making the S3 objects public.

As for alternative options, it depends on your use case. One thing you can do is generate keys on your own beforehand, and then use the key rotation feature to add your own keys to the various accounts that get created when you setup the server. See knife user key create USER (options) and the corresponding command for clients. When you add new keys to a user/client, you only need to give the server the public key, so you can keep the private key safe. The downside of this approach is, if you’re creating a lot of Chef Servers, they’ll all have the same set of keys. Depending on what you’re doing with the servers, this may or may not be a problem.

Good idea. Thanks for the info.

Definitely use a role on AWS so the bucket can only be accessed from the machines with the role… is they are already on a role… extend the role to include a custom policy for those buckets… typically a ‘bootstrap’ bucket or some type with chef items that are locked down.

Also word of advise to look at node termination too so that things are de-registered on shutdown.

What do you mean by ‘bootsrapt’ bucket? Is it only the name of the bucket or there are additional settings required?

Oh i just meant an s3 bucket that you can tailor the way you want to provide specific chef things (or anything that you want to securely use between an authorized node via roles etc)

Thanks. I have already implemented what you have suggested. It works perfectly.

1 Like