Reputation: 2144
Chef: working with sensitive attributes
I'm writing a cookbook that deals with private keys. In case of anything going wrong, Chef dumps the whole resource to log to show end user what has happened. However, this would print private key to log as well, and this is unacceptable. Is there any way to adopt sensitive resource functionality to prevent sensitive data logging?
Upvotes: 2
Views: 2168
Answers (1)
Reputation: 2144
It's always one google query away:
As of Chef client 12.14, individual resource properties can be marked as sensitive: true, which suppresses the value of that property when exporting the resource’s state.
So to mark specific property of custom resource as sensitive, just add sensitive: true to property definition:
resource_name :ssh_private_key
default_action :create
property :private_key, String, required: true, sensitive: true
^^^^^^^^^^^^^^^
After that output will be suppressed for that property:
ssh_private_key("invalid_passphrase") do
action [:create]
default_guard_interpreter :default
declared_type :ssh_private_key
cookbook_name "ama-ssh-private-keys-integration"
user "root"
private_key "*sensitive value suppressed*"
public_key "AAAAB3NzaC1yc2EAAAADAQABAAAAYQDCLY+8qnsrW/RrjDgz1b026hg9Lb78KV2c00sA4v6iSHVZoRKdnoIFr3dnWwV5Urt1U9fJJVy0fPLDWnAdYtI7U37k0GLpZhPS3ps/W9j1ZgslEQMQpvAD19yuJG/NXzk="
passphrase "*sensitive value suppressed*"
Upvotes: 6
Related Questions
- Chef node attributes
- Chef Attributes Structure
- Automatic attribute for chef environment
- chef attributes value not getting parsed in another attribute
- Using attributes in Chef
- Chef: use attributes created dynamically
- Best Practice for setting unique Chef Node Attributes
- Chef custom attributes
- Passing and updating chef node attributes
- Overriding Chef default attributes and dependant attributes