Using knife.rb attributes in a recipe

Hi,

Attributes stored in the knife.rb file (like the AWS Cloud
Credentials), on the chef workstation, can be used while bootstraping
a node.
Does anyone knows how to use knife.rb attributes in a recipe?
Is that even possible?

this whole thing came up while trying to find a way to make the
encrypted databag secret key available to the recipes using something
like chef::config properties (chef::config[‘knife’] actually, but I
couldn’t make it work), to avoid having to scp the key file or keeping
it on the chef client host (security considerations are not an issue,
just the technical challenge of whether or not this can be done ;).

Regards,
Osvaldo

Osvaldo,

Just a thought: It might be an antipattern to assume that the creds
you launch instances with will be the same as the ones you want on
your server for it to do things. IAM allows you to issue credentials
that are locked down to specific tasks (i.e., an EC2 instance might
not be allowed to create more EC2 instances), and you might want to
deploy those to your instances instead, or even deploy different ones
depending on the server's role.

We're storing our credentials in a data bag and propagating them that
way, so it will be easy to change them out should we have to.

Michael Della Bitta


Appinions
18 East 41st Street, 2nd Floor
New York, NY 10017-6271

Where Influence Isn’t a Game

On Thu, Oct 4, 2012 at 12:21 PM, O. T. Suarez otsuarez@gmail.com wrote:

Hi,

Attributes stored in the knife.rb file (like the AWS Cloud
Credentials), on the chef workstation, can be used while bootstraping
a node.
Does anyone knows how to use knife.rb attributes in a recipe?
Is that even possible?

this whole thing came up while trying to find a way to make the
encrypted databag secret key available to the recipes using something
like chef::config properties (chef::config['knife'] actually, but I
couldn't make it work), to avoid having to scp the key file or keeping
it on the chef client host (security considerations are not an issue,
just the technical challenge of whether or not this can be done ;).

Regards,
Osvaldo

Yo!

I'd like to suggest that you make use of the AWS Cloudformation and
IAM system(s) and a "host keys" implementation.

Using CloudFormation, IAM and some policy, you can have keys generated
for each machine at construction time with those keys having specific
access to resources defined in AWS (defined by CloudFormation)

We've been using this model for one of our clients with great success
-- we have one "awscredentials" cookbook that parses the file dropped
off by CloudFormation during stack creation. We have some tooling
around CloudFormation to build the JSON template from a Ruby DSL. I
hope to see this open sourced in the medium-term future.

Plus side: you get free key rotation when you smash/re-roll boxen.
This has proven to be more effective than manually managing key
rotation to long-running AWS infrastructure and is easily designed
around.

Cheers,

AJ

On 5 October 2012 05:28, Michael Della Bitta
michael.della.bitta@appinions.com wrote:

Osvaldo,

Just a thought: It might be an antipattern to assume that the creds
you launch instances with will be the same as the ones you want on
your server for it to do things. IAM allows you to issue credentials
that are locked down to specific tasks (i.e., an EC2 instance might
not be allowed to create more EC2 instances), and you might want to
deploy those to your instances instead, or even deploy different ones
depending on the server's role.

We're storing our credentials in a data bag and propagating them that
way, so it will be easy to change them out should we have to.

Michael Della Bitta


Appinions
18 East 41st Street, 2nd Floor
New York, NY 10017-6271

www.appinions.com

Where Influence Isn’t a Game

On Thu, Oct 4, 2012 at 12:21 PM, O. T. Suarez otsuarez@gmail.com wrote:

Hi,

Attributes stored in the knife.rb file (like the AWS Cloud
Credentials), on the chef workstation, can be used while bootstraping
a node.
Does anyone knows how to use knife.rb attributes in a recipe?
Is that even possible?

this whole thing came up while trying to find a way to make the
encrypted databag secret key available to the recipes using something
like chef::config properties (chef::config['knife'] actually, but I
couldn't make it work), to avoid having to scp the key file or keeping
it on the chef client host (security considerations are not an issue,
just the technical challenge of whether or not this can be done ;).

Regards,
Osvaldo