Etki
Etki

Reputation: 2144

Chef: working with sensitive attributes

I'm writing a cookbook that deals with private keys. In case of anything going wrong, Chef dumps the whole resource to log to show end user what has happened. However, this would print private key to log as well, and this is unacceptable. Is there any way to adopt sensitive resource functionality to prevent sensitive data logging?

Upvotes: 2

Views: 2168

Answers (1)

Etki
Etki

Reputation: 2144

It's always one google query away:

As of Chef client 12.14, individual resource properties can be marked as sensitive: true, which suppresses the value of that property when exporting the resource’s state.

So to mark specific property of custom resource as sensitive, just add sensitive: true to property definition:

resource_name :ssh_private_key
default_action :create

property :private_key, String, required: true, sensitive: true
                                               ^^^^^^^^^^^^^^^

After that output will be suppressed for that property:

ssh_private_key("invalid_passphrase") do
    action [:create]
    default_guard_interpreter :default
    declared_type :ssh_private_key
    cookbook_name "ama-ssh-private-keys-integration"
    user "root"
    private_key "*sensitive value suppressed*"
    public_key "AAAAB3NzaC1yc2EAAAADAQABAAAAYQDCLY+8qnsrW/RrjDgz1b026hg9Lb78KV2c00sA4v6iSHVZoRKdnoIFr3dnWwV5Urt1U9fJJVy0fPLDWnAdYtI7U37k0GLpZhPS3ps/W9j1ZgslEQMQpvAD19yuJG/NXzk="
    passphrase "*sensitive value suppressed*"

Upvotes: 6

Related Questions