Chef: Load Attributes from encrypted databag in json role

Question

I'm want to use the postfix cookbook for chef. The sasl password is expected to be in an attribute. So usually you would do this:

"default_attributes": {
  "postfix": {
    "sasl": {
      "smtp_sasl_passwd": "somepassword"
    }
  }
}

The thing is: I don't want to have the password in the repository in plain text. So I put it in an encrypted data bag. Now I want to access it. This can be done with this:

Chef::EncryptedDataBagItem.load("passwords", "postfix")['password']

The problem: This only works in a .rb file, but my role is in json; all my roles are in json! I don't want to change that just for this purpose. Does anybody have an idea what to do here? Help is very appreciated.

score 0 · Accepted Answer · answered Jun 03 '14 at 21:25

0

Converting your roles to the Ruby DSL would not help here - they are converted to JSON before being uploaded to the Chef server, and it is the JSON version that is loaded by chef-client. The same is true of environments.

In other words, there's no way to load a databag (encrypted or otherwise) from a role or environment. You'll need to put that kind of logic into a cookbook recipe.

answered Jun 03 '14 at 21:25

zts

945
5
8

Thanks for responding. Figured that out myself in the meantime and wrote a wrapper cookbook, that works well! – jcvj Jun 04 '14 at 06:30

Chef: Load Attributes from encrypted databag in json role

1 Answers1