Storing passwords in Chef?

deployment configuration chef-infra
erikcw picture erikcw · Dec 12, 2010 · Viewed 13.1k times · Source

What is the best practice for storing password and API keys with Chef? It's really tempting to store database passwords, AWS api keys, and other sensitive credentials as Chef Server Attributes for use in recipes -- but what about security considerations? What's the best practice for this?

Answer

jtimberman picture jtimberman · Jan 19, 2011

From the #chef IRC channel, many people store this kind of data in a data bag on the chef server.

For example, a data bag might be 'aws', with an item 'main', referring to the primary AWS account. Separate keys in the item would be for each particular value. E.g.:

{
  "id": "main",
  "aws_secret_key": "The secret access key",
  "aws_access_key": "The access key"
}

You may also be interested in encrypted data bags. I wrote about them in more detail for managing postfix SASL authentication.

Update: I've written blog posts about Chef Vault on my blog and sysadvent.

Related questions

How do I use rpm to update/replace existing files?

I have several applications that I wish to deploy using rpm. Some of the files in my application deployments override files from other deployed packages. Simply including the new files in the deployment package will cause rpm conflicts. I am …

Read More
Creating module in jBoss AS

I’m using jBoss AS 7 to publish my various projects, and all of them use the Jersey API, so instead of deploying it in every project I wanted to create a module for it. For that, I created the folder …

Read More
supervisor.conf default location

Im trying to make automatic deployment including supervisord and confused by default settings path. Every deployment scheme I found use /etc/supervisor/supervisor.conf and /etc/supervisor/conf.d/ without any presettings and links, also, after installing supervisor package via …

Read More