class Chef::SecretFetcher::HashiVault

Public Instance Methods

do_fetch(identifier, _version) click to toggle source

@param identifier [String] Identifier of the secret to be fetched, which should be the full path of that secret, eg 'secret/example' @param _version [String] not used in this implementation @return [Hash] containing key/value pairs stored at the location given in 'identifier'

# File lib/chef/secret_fetcher/hashi_vault.rb, line 91
def do_fetch(identifier, _version)
  result = Vault.logical.read(identifier)
  raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil?

  result.data
end
validate!() click to toggle source

Validate and authenticate the current session using the configured auth strategy and parameters

# File lib/chef/secret_fetcher/hashi_vault.rb, line 61
def validate!
  if config[:vault_addr].nil?
    raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr")
  end

  Vault.address = config[:vault_addr]
  Vault.namespace = config[:namespace] unless config[:namespace].nil?

  case config[:auth_method]
  when :token
    if config[:token].nil?
      raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token")
    end

    Vault.auth.token(config[:token])
  when :iam_role, nil
    if config[:role_name].nil?
      raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name")
    end

    Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new)
  else
    raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided.  You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ")
  end
end