Chef recipe to get secret from Azure key vault
I will provide a simple chef recipe to retrive the secret stored in Azure key vault as variable to the chef recipe and use it in your process of chef convergence.
# retrieve the secret stored in azure key vault using this chef recipeinclude_recipe 'microsoft_azure'azurespn = data_bag_item('azurespn', 'azurespnenv')node.default['azurespn']['client_id'] = azurespn[node.environment]['client_id']node.default['azurespn']['tenant_id'] = azurespn[node.environment]['tenant_id']node.default['azurespn']['client_secret'] = azurespn[node.environment]['client_secret']spn = {'tenant_id' => "#{node['azurespn']['tenant_id']}",'client_id' => "#{node['azurespn']['client_id']}",'secret' => "#{node['azurespn']['client_secret']}"}secret = vault_secret("#{node['windowsnode']['vault_name']}", "#{node['windowsnode']['secret']}", spn)file 'c:/jenkins/secret' do
action :create
content "#{secret}"
rights :full_control, 'Administrators', :one_level_deep => true
endChef::Log.info("secret is '#{secret}' ")
Explanation: I am storing the azure spn credentials in databag azurespn and created variable spn hash in the recipe and used vault_secret helpoer method from microsoft_azure cookbook whihc i mentioned in the include statement and storing that secret value retrived from key vault into secret file in the c:/jenkins directory. this specific one is to store on windows node. Linux is pretty straight forward.
Enjoy this cool recipe and you can store and update all your secrets in azure key vault and the chef recipe is gonna get the latest secret when chef-client convergence for every 15 minutes and don’t need to worry about updating datbag_items in the chef server.
