Chef: Sensitive


template "all_my_secret_data.erb" do
  source "passwords_and_secrets.erb"
  sensitive: true
  action :create
end

A while back, while working on a Chef Cookbook involving SSL certificates (near or around the time of Heartbleed), I found myself updating sensitive information on our servers. The problem with updating these resources is that much of Chef’s behavior is logged to its own output logs and shown in plain text, right there on the screen. Passwords and certificates don’t really bear their full power when you keep them logged somewhere on your system, and a Chef log can become a treasure trove of user information and certificates in plain text.

Enter the sensitive attribute! Released in an early iteration of Chef 11.12, the sensitive resource attribute will hide the outputs of a file Chef is writing, while still providing sufficient logging to know the file is being written. Use it for anything you don’t want a logged, including crts, passwords, login information, etc.

Read about it in the Chef docs here.
See the source code for it here.

Enjoy your newly secret data!

Leave a Reply

Your email address will not be published. Required fields are marked *