Skip to main content

Chef Infra Language: Secrets

The Secrets Management Integration helper is a beta feature starting in Chef Infra Client 17.5 and became a fully supported feature in Chef Infra Client 18. This helper allows you to access secrets from the following secrets management systems within your Infra recipes or resources:

  • AWS Secrets Manager
  • Akeyless Vault
  • Azure Key Vault
  • HashiCorp Vault

Syntax

Use the following syntax to fetch secrets:

secret(name: '<SECRET_NAME>', version: '<VERSION>', service: <SERVICE>, config: {key: value})

Replace the following:

<SECRET_NAME>
The identifier or name for this secret.
<VERSION>
The secret version. If a service supports versions and you don’t provide a version, the Secrets Management Integration helper fetches the latest version.

Secret versions supported with:

  • AWS Secrets Manager
  • Azure Key Vault
<SERVICE>
The secret manager.

Allowed values:

  • :akeyless_vault
  • :aws_secrets_manager
  • :azure_key_vault
  • :hashi_vault
config
Use config to set key/value settings passed to a secrets manager. For example, to set the AWS region that a secret is stored in with AWS Secrets Manager, add config: {region: 'us-west-2'}.

Set defaults

You can set a default service and service configuration and then the Secrets Management Integration helper will use those settings every time you request a secret. This is useful if you want to request more than one secret from the same service.

Use the default_secret_service and default_secret_config to define a default service and service configuration:

default_secret_service(<SERVICE>)
default_secret_config(key: "value")

value1 = secret(name: "<SECRET_NAME_1>")
value2 = secret(name: "<SECRET_NAME_2>")
value3 = secret(name: "<SECRET_NAME_3>")

Or wrap your secret definitions using with_secret_service and with_secret_config:

with_secret_service(<SERVICE>) do
  with_secret_config(key: "value") do
    value1 = secret(name: "<SECRET_NAME_1>")
    value2 = secret(name: "<SECRET_NAME_2>")
    value3 = secret(name: "<SECRET_NAME_3>")
  end
end

Define a default secret service and then fetch secrets with different configs:

default_secret_service(<SERVICE>)

with_secret_config(key: "<VALUE>") do
  secret_1 = secret(name: "<SECRET_NAME_1>")
  secret_2 = secret(name: "<SECRET_NAME_2>")
end

with_secret_config(key: "<OTHER_VALUE>") do
  secret_3 = secret(name: "<SECRET_NAME_3>")
  secret_4 = secret(name: "<SECRET_NAME_4>")
end

Examples

Akeyless Vault

Fetch secrets from Akeyless Vault using the access key and access ID:

secret(name: '<SECRET_NAME>',
       service: :akeyless_vault,
       config: {
         access_key: '<ACCESS_KEY>',
         access_id: '<ACCESS_ID>'
      })

AWS Secrets Manager

Fetch a secret from AWS Secrets Manager:

secret(name: '<SECRET_NAME>', service: :aws_secrets_manager)

Specify an AWS region:

secret(name: '<SECRET_NAME>', service: :aws_secrets_manager, config: { region: '<AWS_REGION>' })

Azure Key Vault

Fetch secrets from Azure Key Vault:

secret(name: '<VAULT_NAME/SECRET_NAME>', service: :azure_key_vault)

Specify the vault name in the config:

secret(name: '<SECRET_NAME>', service: :azure_key_vault, config: { vault: '<VAULT_NAME>' })

Fetch a specific version of an Azure Key Vault secret:

secret(name: '<VAULT_NAME/SECRET_NAME>', version: 'v1', service: :azure_key_vault)

HashiCorp Vault

Fetch secrets from HashiCorp Vault using AWS IAM:

secret(name: '<PATH/TO/SECRET>',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        role_name: '<ROLE>'
      })

Fetch secrets from HashiCorp Vault using tokens:

secret(name: '<PATH/TO/SECRET>',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :token,
        token: '<TOKEN_STRING>'
      })

Fetch secrets from HashiCorp Vault using AppRole ID and an associated AppRole Secret ID:

secret(name: '<PATH/TO/SECRET>',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_id: "<APPROLE_ID_STRING>",
        approle_secret_id: "<APPROLE_SECRET_ID_STRING>"
      })

Fetch secrets using a token and an AppRole name creates a Secret ID associated with that AppRole:

secret(name: '<PATH/TO/SECRET>',
      service: :hashi_vault,
      config: {
        vault_addr: 'vault.example.com',
        auth_method: :approle,
        approle_name: "<APPROLE_NAME>",
        token: '<TOKEN_STRING>'
      })

Fetch secrets in cookbooks

The secrets helper returns a text string, so you can use it anywhere in Chef Infra where you might hard code a value or access a value from a data bag.

Write a secret to a file:

file '/home/ubuntu/aws-secret' do
  content secret(name: '<SECRET_NAME>', service: :aws_secrets_manager)
end

Pass a secret to a template:

template '/etc/my_fancy_service/my_fancy_service.conf' do
  source 'config.erb'
  variables(
    db_token: secret(name: 'db_token', service: :aws_secrets_manager)
  )
end
Edit this page on GitHub

Thank you for your feedback!

×