Using chef solo to aws distribute keys


#1

Hi,

I have aws keys that I need to redistribute to nodes. I use chef solo.
What is best practice with chef-solo? Are there any docs regarding this?
I cant find.

Thanks


#2

Use AWS IAM Machine Keys to authorize your gear with particular roles
and policies.

cheers,

–aj

On Tue, Dec 9, 2014 at 8:56 AM, David Montgomery
davidmontgomery@gmail.com wrote:

Hi,

I have aws keys that I need to redistribute to nodes. I use chef solo. What
is best practice with chef-solo? Are there any docs regarding this? I cant
find.

Thanks


#3

I’d also appreciate help with this, for various forms of keys. It’s theoretically possible to distribute a chef encryption key out of band, and use unique keys for unique hosts or classes of hosts, but managing it gets burdensome very quickly when you have more than a few hosts or a few classes of environment.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com

From: David Montgomery [mailto:davidmontgomery@gmail.com]
Sent: Monday, December 08, 2014 2:57 PM
To: chef@lists.opscode.com
Subject: [chef] Using chef solo to aws distribute keys

Hi,
I have aws keys that I need to redistribute to nodes. I use chef solo. What is best practice with chef-solo? Are there any docs regarding this? I cant find.

Thanks


#4

Hi,

If you mean distributing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then
I would recommend a) not doing so, and using IAM roles to grant access to
AWS resources or b) if you must distribute keys then use Encrypted
DataBags; Chef-Vault, https://github.com/Nordstrom/chef-vault; or Citadel,
https://github.com/poise/citadel.

If I’m missing the point of the question, or if you don’t know where to get
started with IAM roles, then please feel free to follow-up.

Cheers,

Peter

On Wed, Dec 17, 2014 at 10:14 AM, Nico Kadel-Garcia <
nkadel@skyhookwireless.com> wrote:

I’d also appreciate help with this, for various forms of keys. It’s
theoretically possible to distribute a chef encryption key out of band, and
use unique keys for unique hosts or classes of hosts, but managing it gets
burdensome very quickly when you have more than a few hosts or a few
classes of environment.

Nico Kadel-Garcia

Lead DevOps Engineer

nkadel@skyhookwireless.com

From: David Montgomery [mailto:davidmontgomery@gmail.com]
Sent: Monday, December 08, 2014 2:57 PM
To: chef@lists.opscode.com
Subject: [chef] Using chef solo to aws distribute keys

Hi,

I have aws keys that I need to redistribute to nodes. I use chef solo.
What is best practice with chef-solo? Are there any docs regarding this?
I cant find.

Thanks


#5

I was referring more to MySQL database password. This especially applies to MySQL modules in various web servers and backup systems for databases: these tend to rely on passwords stored locally in clear text, but I certainly don’t want them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning ‘chef-solo’ now. I’d welcome a walkthrough or insights.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com

From: Peter Burkholder [mailto:pburkholder@getchef.com]
Sent: Thursday, December 18, 2014 2:27 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Using chef solo to aws distribute keys

Hi,

If you mean distributing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, then I would recommend a) not doing so, and using IAM roles to grant access to AWS resources or b) if you must distribute keys then use Encrypted DataBags; Chef-Vault, https://github.com/Nordstrom/chef-vault; or Citadel, https://github.com/poise/citadel.

If I’m missing the point of the question, or if you don’t know where to get started with IAM roles, then please feel free to follow-up.

Cheers,

Peter

On Wed, Dec 17, 2014 at 10:14 AM, Nico Kadel-Garcia <nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com> wrote:
I’d also appreciate help with this, for various forms of keys. It’s theoretically possible to distribute a chef encryption key out of band, and use unique keys for unique hosts or classes of hosts, but managing it gets burdensome very quickly when you have more than a few hosts or a few classes of environment.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com

From: David Montgomery [mailto:davidmontgomery@gmail.commailto:davidmontgomery@gmail.com]
Sent: Monday, December 08, 2014 2:57 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Using chef solo to aws distribute keys

Hi,
I have aws keys that I need to redistribute to nodes. I use chef solo. What is best practice with chef-solo? Are there any docs regarding this? I cant find.

Thanks


#6

On Dec 18, 2014, at 3:24 PM, Nico Kadel-Garcia nkadel@skyhookwireless.com wrote:

I was referring more to MySQL database password. This especially applies to MySQL modules in various web servers and backup systems for databases: these tend to rely on passwords stored locally in clear text, but I certainly don’t want them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning ‘chef-solo’ now. I’d welcome a walkthrough or insights.

https://coderanger.net/chef-secrets/ goes over your options.

–Noah


#7

I’ve taken a look at the various solutions. None of them work: many are dependent on an available chef server to hold encrypted data, unlocked by a local key, and I’m using chef-solo extensively, not a chef-server/chef-client setup. Also, frankly, many cookbooks such as the “nagios” and “mysql” and “users” cookbooks have no structure in place for managing encrypted data that must be stored on individual nodes in locally unencrypted format, such as MySQL passwords, Nagios stored credentials for remote service checks, or private SSH keys.

It’s possible to write individual customized wrapper cookbooks for each of these, but it’s awkward and fragile to have to keep wrapping this material. And if you use a git or other source control for such information, it means that anyone who has access to that repository has the relevant passwords or private keys unless you ignore the built-in tools and write your own wrappers or updates to fix this. This is especially true for SSH private keys for individual accounts in the “users” cookbook, and for initial “root” access for MySQL, Postgresql, and other databases.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.com

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Thursday, December 18, 2014 10:48 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using chef solo to aws distribute keys

On Dec 18, 2014, at 3:24 PM, Nico Kadel-Garcia
nkadel@skyhookwireless.com wrote:

I was referring more to MySQL database password. This especially applies to
MySQL modules in various web servers and backup systems for databases: these
tend to rely on passwords stored locally in clear text, but I certainly don’t want
them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning ‘chef-solo’ now.
I’d welcome a walkthrough or insights.

https://coderanger.net/chef-secrets/ goes over your options.

–Noah


#8

How about using knife solo data bag
https://github.com/thbishop/knife-solo_data_bag? Makes it easy to use
encrypted data bags and chef-solo. Be sure to .gitignore your
encrypted_data_bag_secret.

Then in my cookbook I do something like:

mysql_auth = Chef::EncryptedDataBagItem.load(“mysql”,
“auth”)node.default[“mysql”][“server_root_password”] =
mysql_auth[“server_root_password”]include_recipe “mysql::server”

On Fri, Feb 13, 2015 at 4:27 PM, Nico Kadel-Garcia <
nkadel@skyhookwireless.com> wrote:

I’ve taken a look at the various solutions. None of them work: many are
dependent on an available chef server to hold encrypted data, unlocked by a
local key, and I’m using chef-solo extensively, not a
chef-server/chef-client setup. Also, frankly, many cookbooks such as the
"nagios" and “mysql” and “users” cookbooks have no structure in place for
managing encrypted data that must be stored on individual nodes in locally
unencrypted format, such as MySQL passwords, Nagios stored credentials for
remote service checks, or private SSH keys.

It’s possible to write individual customized wrapper cookbooks for each of
these, but it’s awkward and fragile to have to keep wrapping this material.
And if you use a git or other source control for such information, it means
that anyone who has access to that repository has the relevant passwords or
private keys unless you ignore the built-in tools and write your own
wrappers or updates to fix this. This is especially true for SSH private
keys for individual accounts in the “users” cookbook, and for initial
"root" access for MySQL, Postgresql, and other databases.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.com

-----Original Message-----
From: Noah Kantrowitz [mailto:noah@coderanger.net]
Sent: Thursday, December 18, 2014 10:48 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using chef solo to aws distribute keys

On Dec 18, 2014, at 3:24 PM, Nico Kadel-Garcia
nkadel@skyhookwireless.com wrote:

I was referring more to MySQL database password. This especially
applies to
MySQL modules in various web servers and backup systems for databases:
these
tend to rely on passwords stored locally in clear text, but I certainly
don’t want
them in my role or environment attributes in clear text.

I’ve done this with actual chef servers, but am only learning
’chef-solo’ now.
I’d welcome a walkthrough or insights.

https://coderanger.net/chef-secrets/ goes over your options.

–Noah