This is a Chef library function to read secrets from Vault. The library currently supports the Approle and the IAM auth methods.
Takes 1 input address, which is the https URL of your Vault server.
Takes 4 inputs.
approleid The ApproleID that your Vault administrator assigns for your application.
appsecretid Is an identifier also generated by your Vault administrator.
When you submit the approleid and the appsecretid to Vault, it returns the client_token which we will use to authenticate with Vault to read secrets.
path The actual path of your secret in Vault. Ex: secret/testapp/db
secret_name is the actual secret name for whose identity you need the value returned.
NOTE: It is recommended that you store approleid and appsecretid in a chef databag or make it available to the chef client via an environment variable.
Takes 4 inputs.
vault_endpoint is your Vault's IAM client endpoint.
vault_role is a role assigned to your application/ldap group or user within Vault.
path The actual path of your secret in Vault.
secret_name is the actual secret name for whose identity you need the value returned.
- Add a dependency in your metadata.rb like so:
depends 'hashicorp-vault-lib' - You can directly call the helper library definition in your recipe like so:
- Configure the Vault library.
VaultCookbook::Helper.config(address) VaultCookbook::Helper.approle(approleid, appsecretid, path, secret_name)VaultCookbook::Helper.IAM(vault_endpoint, vault_role, path, secret_name)
You could choose to pass all these parameters as attributes from your cookbook or fetch them from a databag.