class Chef::SecretFetcher::HashiVault
Public Instance Methods
Source
# File lib/chef/secret_fetcher/hashi_vault.rb, line 125 def do_fetch(identifier, _version) result = Vault.logical.read(identifier) raise Chef::Exceptions::Secret::FetchFailed.new("No secret found at #{identifier}. Check to ensure that there is a secrets engine configured for that path") if result.nil? result.data end
@param identifier [String] Identifier of the secret to be fetched, which should be the full path of that secret, eg ‘secret/example’ @param _version [String] not used in this implementation @return [Hash] containing key/value pairs stored at the location given in ‘identifier’
Source
# File lib/chef/secret_fetcher/hashi_vault.rb, line 76 def validate! if config[:vault_addr].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the Vault address in the configuration as :vault_addr") end Vault.address = config[:vault_addr] Vault.namespace = config[:namespace] unless config[:namespace].nil? case config[:auth_method] when :approle unless config[:approle_name] || config[:approle_id] raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name or :approle_id in the configuration with :auth_method set to :approle") end # When :approle_id and :approle_secret_id are both specified, all pieces are present which are needed to authenticate using an approle. # If either is missing, we need to authenticate to Vault to get the missing pieces with the :approle_name and optionally :token. unless config[:approle_id] && config[:approle_secret_id] if config[:approle_name].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the :approle_name in the configuration when :approle_id and :approle_secret_id are not both present with :auth_method set to :approle") end Vault.token = config[:token] unless config[:token].nil? end approle_id = config[:approle_id] || Vault.approle.role_id(config[:approle_name]) approle_secret_id = config[:approle_secret_id] || Vault.approle.create_secret_id(config[:approle_name]).data[:secret_id] Vault.auth.approle(approle_id, approle_secret_id) when :token if config[:token].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the token in the configuration as :token") end Vault.auth.token(config[:token]) when :iam_role, nil if config[:role_name].nil? raise Chef::Exceptions::Secret::ConfigurationInvalid.new("You must provide the authenticating Vault role name in the configuration as :role_name") end Vault.auth.aws_iam(config[:role_name], Aws::InstanceProfileCredentials.new, Vault.address) else raise Chef::Exceptions::Secret::ConfigurationInvalid.new("Invalid :auth_method provided. You gave #{config[:auth_method]}, expected one of :#{SUPPORTED_AUTH_TYPES.join(", :")} ") end end
Validate and authenticate the current session using the configured auth strategy and parameters