class Chef::SecretFetcher

Chef::SecretFetcher::AWSSecretsManager

A fetcher that fetches a secret from AWS Secrets Manager In this initial iteration it defaults to authentication via instance profile. It is possible to pass options that configure it to use alternative credentials. This implementation supports fetching with version.

@note ':region' is required configuration. If it is not explicitly provided, and it is not available via global AWS config, we will pull it from node ohai data by default. If this isn't correct, you will need to explicitly override it. If it is not available via ohai data either (such as if you have the AWS plugin disabled) then the converge will fail with an error.

@note: This does not yet support automatic retries, which the AWS client does by default.

For configuration options see docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/SecretsManager/Client.html#initialize-instance_method

Usage Example:

fetcher = SecretFetcher.for_service(:aws_secrets_manager) fetcher.fetch(“secretkey1”, “v1”)

Chef::SecretFetcher

An abstract base class that defines the methods required to implement a Secret Fetcher.

Chef::SecretFetcher::Example

A simple implementation of a secrets fetcher. It expects to be initialized with a hash of keys and secret values.

Usage Example:

fetcher = SecretFetcher.for_service(:example, “secretkey1” => { “secret” => “lives here” }) fetcher.fetch(“secretkey1”)

Constants

AKEYLESS_VAULT_PROXY_ADDR

Chef::SecretFetcher::AKeylessVault

A fetcher that fetches a secret from AKeyless Vault. Initial implementation is based on HashiVault , because AKeyless provides a compatibility layer that makes this possible. Future revisions will use native akeyless authentication.

Required config: :access_id - the access id of the API key :access_key - the access key of the API key

@example

fetcher = SecretFetcher.for_service(:akeyless_vault, { access_id: “my-access-id”, access_key: “my-access-key” }, run_context ) fetcher.fetch(“/secret/data/secretkey1”)

SECRET_FETCHERS
SUPPORTED_AUTH_TYPES

Chef::SecretFetcher::HashiVault

A fetcher that fetches a secret from Hashi Vault.

Does not yet support fetching with version when a versioned key store is in use. In this initial iteration the only supported authentication is IAM role-based

Required config: :auth_method - one of :iam_role, :token. default: :iam_role :vault_addr - the address of a running Vault instance, eg vault.example.com:8200

For `:token` auth: `:token` - a Vault token valid for authentication.

For `:iam_role`: `:role_name` - the name of the role in Vault that was created to support authentication via IAM. See the Vault documentation for details. A Terraform example is also available

1

www.vaultproject.io/docs/auth/aws#recommended-vault-iam-policy

2

registry.terraform.io/modules/hashicorp/vault/aws/latest/examples/vault-iam-auth

an IAM principal ARN bound to it.

Optional config :namespace - the namespace under which secrets are kept. Only supported in with Vault Enterprise

@example

fetcher = SecretFetcher.for_service(:hashi_vault, { role_name: “testing-role”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)

@example

fetcher = SecretFetcher.for_service(:hashi_vault, { auth_method: :token, token: “s.1234abcdef”, vault_addr: localhost:8200}, run_context ) fetcher.fetch(“secretkey1”)

Public Class Methods

for_service(service, config, run_context) click to toggle source

Returns a configured and validated instance of a [Chef::SecretFetcher::Base] for the given service and configuration.

@param service [Symbol] the identifier for the service that will support this request. Must be in

SECRET_FETCHERS

@param config [Hash] configuration that the secrets service requires @param run_context [Chef::RunContext] the run context this is being invoked from

# File lib/chef/secret_fetcher.rb, line 34
def self.for_service(service, config, run_context)
  fetcher = case service
            when :example
              require_relative "secret_fetcher/example"
              Chef::SecretFetcher::Example.new(config, run_context)
            when :aws_secrets_manager
              require_relative "secret_fetcher/aws_secrets_manager"
              Chef::SecretFetcher::AWSSecretsManager.new(config, run_context)
            when :azure_key_vault
              require_relative "secret_fetcher/azure_key_vault"
              Chef::SecretFetcher::AzureKeyVault.new(config, run_context)
            when :hashi_vault
              require_relative "secret_fetcher/hashi_vault"
              Chef::SecretFetcher::HashiVault.new(config, run_context)
            when :akeyless_vault
              require_relative "secret_fetcher/akeyless_vault"
              Chef::SecretFetcher::AKeylessVault.new(config, run_context)
            when nil, ""
              raise Chef::Exceptions::Secret::MissingFetcher.new(SECRET_FETCHERS)
            else
              raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: '#{service}'", SECRET_FETCHERS)
            end
  fetcher.validate!
  fetcher
end