Validatorless + Unattended = not supported?

Is it possible to use a USER.PEM when performing an unattended install?


Starting with chef-client version 12.1, it is possible to bootstrap a
node using the USER.pem file instead of the ORGANIZATION-validator.pem
file. This is known as a “validatorless bootstrap”.

Within the Chef Server UI, the build_user has been added to a group which can create nodes.

$ cat client.rb
node_name "chef-test-node"
chef_server_url ""
validation_client_name "build_user"
validation_key "/home/build_user/.chef/build_user.pem"
ssl_ca_file "/etc/pki/tls/certs/ca-bundle.crt"
log_level :warn
cache_path "/home/build_user/.chef"
client_key "/home/build_user/.chef/client.pem"

I receive 403 “Forbidden” errors with the USER.PEM.

$ /bin/chef-client -c /home/build_user/.chef/client.rb
Starting Chef Client, version 12.14.89
Creating a new client identity for chef-test-node using the validator key.

Chef encountered an error attempting to create the client "chef-test-node"

Authorization Error:
Your validation client is not authorized to create the client for this node (HTTP 403).

Possible Causes:
* There may already be a client named "chef-test-node"
* Your validation client (build_user) may have misconfigured authorization permissions.


Running handlers:
[2016-11-04T15:45:03+00:00] ERROR: Running exception handlers
Running handlers complete
[2016-11-04T15:45:03+00:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 02 seconds
[2016-11-04T15:45:03+00:00] FATAL: Stacktrace dumped to /home/build_user/.chef/cache/chef-stacktrace.out
[2016-11-04T15:45:03+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-11-04T15:45:03+00:00] ERROR: 403 "Forbidden"
[2016-11-04T15:45:03+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

You should use the validator for unattended installs, it is designed exactly for this use case and has the bare minimum of permissions needed to bootstrap a node. If you’re having issues with multiple people sharing the validator key and reseting it, you can either come up with a meatspace solution for that, or use the multi-key functionality (knife client key create and etc.) to have multiple keys for the same validator.

The validatorless bootstrap is designed for a human using knife to bootstrap nodes via the cloud plugins or whatever. The default permissions require the account to be an admin on the given org. It’s best to avoid baking an admin key into your images.

Thank you for the clarification.