0

In one of my chef recipes, I am using encrypted data bags to do hide the download path for a remote file resource that I have defined. However when converging on a node, if the download fails for whatever reason, then I can see all my secrets in the log.

Since I'm planning to deploy this on a CI server, I really don't want to have it displayed.

Is there any way to keep the data encrypted even on error?

Sergiu Vidrascu
  • 1
  • 2
  • Question doesn't make a lot of sense. You're trying to hide the download URL in a databag and you don't want this URL to appear in the log when it fails?... Begs the question how does one troubleshoot a failed download if one can't see the URL? To minimize information leakage I suggest you ensure the logs are only readable by root and set logging to ERROR or WARN levels. – Mark O'Connor Mar 01 '15 at 20:53

1 Answers1

0

You can try setting the sensitive attribute on the resource. This suppresses a lot of log data for some resources. For example, template resources will not log their contents when the sensitive attribute is set to true. I doubt it will suppress the URL of a remote_file, but it's worth a shot.

Tejay Cardon
  • 4,193
  • 2
  • 16
  • 31