blocks|key|132140|text|在#chef+IRC频道，许多人将这类数据存储在chef服务器上的数据包中。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|132141|例如，一个数据包可能是“AWS”，其中有一个项目“main”，指的是主AWS账户。项中的单独关键字将用于每个特定值。例如：|132142|{
++"id":+"main",
++"aws_secret_key":+"The+secret+access+key",
++"aws_access_key":+"The+access+key"
}|code-block|syntax|javascript|132143|您也可能对encrypted+data+bags感兴趣。我为管理postfix+SASL+authentication写了更多关于它们的详细信息。|offset|length|132144|更新:我在my+blog和sysadvent上写了一些关于Chef+Vault的博文。|132145|entityMap|0|LINK|mutability|MUTABLE|url|http://wiki.opscode.com/display/chef/Encrypted%2BData%2BBags|1|http://jtimberman.housepub.org/blog/2011/08/06/encrypted-data-bag-for-postfix-sasl-authentication/|2|http://jtimberman.housepub.org/blog/2013/09/10/managing-secrets-with-chef-vault/|3|http://sysadvent.blogspot.com/2013/12/day-19-automating-iam-credentials-with.html|4|https://github.com/Nordstrom/chef-vault^0|0|0|0|5|J|0|W|R|1|0|5|7|2|D|9|3|T|A|4|0^^$0|@$1|2|3|4|5|6|7|14|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|15|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|16|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|17|8|@]|9|@$K|18|L|19|1|1A]|$K|1B|L|1C|1|1D]]|A|$]]|$1|M|3|N|5|6|7|1E|8|@]|9|@$K|1F|L|1G|1|1H]|$K|1I|L|1J|1|1K]|$K|1L|L|1M|1|1N]]|A|$]]|$1|O|3|-4|5|6|7|1O|8|@]|9|@]|A|$]]]|P|$Q|$5|R|S|T|A|$U|V]]|W|$5|R|S|T|A|$U|X]]|Y|$5|R|S|T|A|$U|Z]]|10|$5|R|S|T|A|$U|11]]|12|$5|R|S|T|A|$U|13]]]]

From the #chef IRC channel, many people store this kind of data in a data bag on the chef server.

For example, a data bag might be 'aws', with an item 'main', referring to the primary AWS account. Separate keys in the item would be for each particular value. E.g.:

<pre><code>{
 "id": "main",
 "aws_secret_key": "The secret access key",
 "aws_access_key": "The access key"
}
</code></pre>

You may also be interested in <a href="http://wiki.opscode.com/display/chef/Encrypted+Data+Bags" rel="noreferrer">encrypted data bags</a>. I wrote about them in more detail for managing <a href="http://jtimberman.housepub.org/blog/2011/08/06/encrypted-data-bag-for-postfix-sasl-authentication/" rel="noreferrer">postfix SASL authentication</a>.

Update: I've written blog posts about <a href="https://github.com/Nordstrom/chef-vault" rel="noreferrer">Chef Vault</a> on <a href="http://jtimberman.housepub.org/blog/2013/09/10/managing-secrets-with-chef-vault/" rel="noreferrer">my blog</a> and <a href="http://sysadvent.blogspot.com/2013/12/day-19-automating-iam-credentials-with.html" rel="noreferrer">sysadvent</a>.

blocks|key|4955522|text|这个问题很老，没有公认的答案，然而，这个问题的正确答案是，Chef允许在Data+Bags中使用Encrypted+Data+Bags来存储敏感数据。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|4955523|entityMap|0|LINK|mutability|MUTABLE|url|http://docs.opscode.com/essentials_data_bags.html|1|http://docs.opscode.com/chef/essentials_data_bags.html#encrypt-a-data-bag^0|10|9|0|1C|J|1|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@$A|O|B|P|1|Q]|$A|R|B|S|1|T]]|C|$]]|$1|D|3|-4|5|6|7|U|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]|L|$5|G|H|I|C|$J|M]]]]

This question is old and has no accepted answer, however, the correct answer to this question is that Chef allows the use of <a href="http://docs.opscode.com/chef/essentials_data_bags.html#encrypt-a-data-bag" rel="noreferrer">Encrypted Data Bags</a> for storing sensitive data in <a href="http://docs.opscode.com/essentials_data_bags.html" rel="noreferrer">Data Bags</a>.

blocks|key|2043869|text|我认为Hashicorp的Vault非常有希望作为一种动态检索加密信息的方法，并将Chef工作流在这一领域的一些奇怪之处抛在脑后。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2043870|这是一个有趣的帖子，开始触及这个主题。https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html|offset|length|2043871|entityMap|0|LINK|mutability|MUTABLE|url|https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html^0|0|J|1V|0|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|O|8|@]|9|@$D|P|E|Q|1|R]]|A|$]]|$1|F|3|-4|5|6|7|S|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|M]]]]

I think Hashicorp's Vault is really promising as a way to dynamically retrieve encrypted information and leave behind some of the oddities of Chef workflow in this area.

This is an interesting post that starts to touch the subject.
<a href="https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html" rel="nofollow">https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html</a>

blocks|key|130201|text|最佳实践是将密钥和密码保存在chef+data_bags中。数据包包含数据库项。各个data_bag项采用json格式。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|130202|例如：|130203|{
++/*+This+is+a+supported+comment+style+*/
++//+This+style+is+also+supported
++"id":+"ITEM_NAME",
++"key":+"value"
}|code-block|syntax|javascript|130204|加密数据包项：数据包项可以使用共享秘密加密来加密。这允许每个数据包项存储机密信息(例如数据库密码或ssh密钥)，或者在源代码控制系统中进行管理(没有出现在修订历史中的明文数据)。这可以按如下方式完成：|offset|length|style|BOLD|130205|Crete密钥：创建一个名为encrypted_data_bag_secret的密钥，例如|130206|$+openssl+rand+-base64+512+%7C+tr+-d+'\r\n'+>+encrypted_data_bag_secret|130207|其中encrypted_data_bag_secret是将包含密钥的文件的名称|130208|加密data_bag:使用类似于以下内容的刀子命令对数据包项进行加密：|130209|$+knife+data+bag+create+passwords+mysql+--secret-file+/tmp/my_data_bag_key|130210|其中，密码是数据包的名称，mysql是数据包项的名称，/tmp/my_+data+_+bag+_key是包含密钥的文件所在位置的路径|130211|验证加密：数据包项的内容经过加密后，只有在解密后才能读取。可以使用类似于以下命令的刀子命令来验证加密：|130212|$+knife+data+bag+show+passwords+mysql|130213|Decrypt+Decrypt：加密数据包项使用类似如下的刀命令进行解密：|130214|$+knife+data+bag+show+--secret-file+/tmp/my_data_bag_key+passwords+mysql|130215|entityMap^0|0|0|0|0|7|0|0|8|0|0|0|0|B|0|0|0|0|5|0|0|0|G|0|0^^$0|@$1|2|3|4|5|6|7|1A|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|1B|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|1C|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|1D|8|@$K|1E|L|1F|M|N]]|9|@]|A|$]]|$1|O|3|P|5|6|7|1G|8|@$K|1H|L|1I|M|N]]|9|@]|A|$]]|$1|Q|3|R|5|F|7|1J|8|@]|9|@]|A|$G|H]]|$1|S|3|T|5|6|7|1K|8|@]|9|@]|A|$]]|$1|U|3|V|5|6|7|1L|8|@$K|1M|L|1N|M|N]]|9|@]|A|$]]|$1|W|3|X|5|F|7|1O|8|@]|9|@]|A|$G|H]]|$1|Y|3|Z|5|6|7|1P|8|@]|9|@]|A|$]]|$1|10|3|11|5|6|7|1Q|8|@$K|1R|L|1S|M|N]]|9|@]|A|$]]|$1|12|3|13|5|F|7|1T|8|@]|9|@]|A|$G|H]]|$1|14|3|15|5|6|7|1U|8|@$K|1V|L|1W|M|N]]|9|@]|A|$]]|$1|16|3|17|5|F|7|1X|8|@]|9|@]|A|$G|H]]|$1|18|3|-4|5|6|7|1Y|8|@]|9|@]|A|$]]]|19|$]]

The best practice is to keep keys and passwords in chef data_bags. A data bag contains databag items. Individual data_bag item are in json format.

For exmaple:

<pre><code>{
 /* This is a supported comment style */
 // This style is also supported
 "id": "ITEM_NAME",
 "key": "value"
}
</code></pre>

Encrypt Data Bag Item:
 data bag item may be encrypted using shared secret encryption. This allows each data bag item to store confidential information (such as a database password or ssh keys) or to be managed in a source control system (without plain-text data appearing in revision history). This can be done as follow:

Crete Secret Keys:
Create a secret key called encrypted_data_bag_secret for example

<pre><code>$ openssl rand -base64 512 | tr -d '\r\n' &gt; encrypted_data_bag_secret
</code></pre>

where encrypted_data_bag_secret is the name of the file which will contain the secret key

Encrypt the data_bag:
A data bag item is encrypted using a knife command similar to:

<pre><code>$ knife data bag create passwords mysql --secret-file /tmp/my_data_bag_key
</code></pre>

where “passwords” is the name of the data bag, “mysql” is the name of the data bag item, and “/tmp/my_data_bag_key” is the path to the location in which the file that contains the secret-key is locate

Verify Encryption:
When the contents of a data bag item are encrypted, they will not be readable until they are decrypted. Encryption can be verified with a knife command similar to:

<pre><code>$ knife data bag show passwords mysql
</code></pre>

Decrypt data Bag:
An encrypted data bag item is decrypted with a knife command similar to:

<pre><code>$ knife data bag show --secret-file /tmp/my_data_bag_key passwords mysql
</code></pre>

blocks|key|2842750|text|Chef+Encrypted+data_bags确实是一个合法的解决方案。除此之外，您还可以使用ruby+Gem，它允许您使用Chef节点列表的公钥对chef数据包项进行加密。这只允许这些chef节点对加密值进行解密。请参阅https://github.com/Nordstrom/chef-vault|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|2842751|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/Nordstrom/chef-vault^0|34|13|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

Chef Encrypted data_bags is indeed a legitimate solution.
Adding to that, you can also use a ruby Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values.
cf. <a href="https://github.com/Nordstrom/chef-vault" rel="nofollow">https://github.com/Nordstrom/chef-vault</a>

blocks|key|2043850|text|Chef+Vault可能是一个很好的选择。它提供了简单的接口，用于在chef-server上存储加密数据，访问管理。使用knife+vault+...命令上传、编辑和更新数据。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2043851|要从配方中获取数据，请使用ChefVault::Item.load命令|2043852|chef_gem+"chef-vault"
require+'chef-vault'
item+=+ChefVault::Item.load("passwords",+"root")
item["password"]|code-block|syntax|javascript|2043853|要设置用户，可以使用刀子vault_admins属性更新数据。|2043854|knife[:vault_admins]+=+[+'example-alice',+'example-bob',+'example-carol'+]|2043855|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/Nordstrom/chef-vault^0|1O|F|0|A|0|0|D|K|0|0|C|C|0|0^^$0|@$1|2|3|4|5|6|7|Y|8|@$9|Z|A|10|B|C]]|D|@$9|11|A|12|1|13]]|E|$]]|$1|F|3|G|5|6|7|14|8|@$9|15|A|16|B|C]]|D|@]|E|$]]|$1|H|3|I|5|J|7|17|8|@]|D|@]|E|$K|L]]|$1|M|3|N|5|6|7|18|8|@$9|19|A|1A|B|C]]|D|@]|E|$]]|$1|O|3|P|5|J|7|1B|8|@]|D|@]|E|$K|L]]|$1|Q|3|-4|5|6|7|1C|8|@]|D|@]|E|$]]]|R|$S|$5|T|U|V|E|$W|X]]]]

<a href="https://github.com/Nordstrom/chef-vault" rel="nofollow">Chef Vault</a> can be a good choice. It provides simple interface for storing encrypted data on chef-server, access management. Upload, edit, update data with <code>knife vault ...</code> commands.

To get data from recipe use <code>ChefVault::Item.load</code> command

<pre><code>chef_gem "chef-vault"
require 'chef-vault'
item = ChefVault::Item.load("passwords", "root")
item["password"]
</code></pre>

To set users, which can update data use knife <code>vault_admins</code> property.

<pre><code>knife[:vault_admins] = [ 'example-alice', 'example-bob', 'example-carol' ]
</code></pre>

blocks|key|4955506|text|我从来没有尝试过数据库标签，但这可能是因为我发现除了chef-solo之外的所有东西都有点太复杂了。这就是为什么我在一个叫Scalarium的服务中使用厨师食谱的原因。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|4955507|因此，密码或私钥和各种其他凭证的问题是一个相当棘手的问题。我也有一堆需要创建或设置正确密码的秘诀。|4955508|通常我所做的是，我指定scalarium的人称之为自定义json的东西。这个json类似于一些人使用chef-solo+-j+node.json提供给chef-solo的node.json。|style|CODE|4955509|因此，例如，在我的自定义json+on+Scalarium界面中，我有以下内容：|4955510|{"super_secure_password":"foobar"}|code-block|syntax|javascript|4955511|它的作用是，我的超级安全密码在我的厨师在node[:super_secure_password]中运行时可用，我可以在食谱或模板中使用它。|BOLD|4955512|只要我只使用Scalarium部署我的服务器，这就可以很好地工作，但我们也使用本地流浪箱中的食谱，以获得开发环境和更容易的测试。当我使用vagrant+(甚至chef-solo本身)时，我无法访问Scalarium上的自定义json。|4955513|这就是我在my_recipe/attributes/default中解决这个问题的方法|4955514|set_unless[:super_secure_password]+=+"test123"|4955515|这意味着当我的菜谱在still之外运行时，密码在node[:super_secure_password]中仍然可用，并且我的菜谱工作，依此类推。当配方在scalarium上下文中执行时，它不会覆盖它们提供的内容。|4955516|entityMap|0|LINK|mutability|MUTABLE|url|http://www.scalarium.com/^0|1P|9|0|0|0|1E|M|2D|9|0|0|0|8|6|K|S|0|0|5|S|0|0|O|S|0^^$0|@$1|2|3|4|5|6|7|19|8|@]|9|@$A|1A|B|1B|1|1C]]|C|$]]|$1|D|3|E|5|6|7|1D|8|@]|9|@]|C|$]]|$1|F|3|G|5|6|7|1E|8|@$A|1F|B|1G|H|I]|$A|1H|B|1I|H|I]]|9|@]|C|$]]|$1|J|3|K|5|6|7|1J|8|@]|9|@]|C|$]]|$1|L|3|M|5|N|7|1K|8|@]|9|@]|C|$O|P]]|$1|Q|3|R|5|6|7|1L|8|@$A|1M|B|1N|H|S]|$A|1O|B|1P|H|I]]|9|@]|C|$]]|$1|T|3|U|5|6|7|1Q|8|@]|9|@]|C|$]]|$1|V|3|W|5|6|7|1R|8|@$A|1S|B|1T|H|I]]|9|@]|C|$]]|$1|X|3|Y|5|N|7|1U|8|@]|9|@]|C|$O|P]]|$1|Z|3|10|5|6|7|1V|8|@$A|1W|B|1X|H|I]]|9|@]|C|$]]|$1|11|3|-4|5|6|7|1Y|8|@]|9|@]|C|$]]]|12|$13|$5|14|15|16|C|$17|18]]]]

I've never tried databags, but that's probably because I find everything apart from chef-solo a little too complicated. Which is why I'm using chef recipies with a service called <a href="http://www.scalarium.com/" rel="nofollow">Scalarium</a>.

So the issue with passwords, or e.g. private keys and all kinds of other credentials is a pretty tough one. I too have a bunch of recipes where passwords need to be created, or set correctly.

Usually what I do is, I specify what the scalarium folks call custom json. This json is similar to the <code>node.json</code> some people give to chef-solo using <code>chef-solo -j node.json</code>.

So e.g. in my custom json on Scalarium web interface, I have the following:

<pre><code>{"super_secure_password":"foobar"}
</code></pre>

What this does is, my super secure password is available during my chef run in <code>node[:super_secure_password]</code> and I can use it in recipes or templates.

This works fine as long as I only deploy my server using Scalarium but we also use our recipes in local vagrant boxes for a development environment and easier testing. And when I use vagrant (or even chef-solo by itself), I don't have access to the custom json on Scalarium.

This is what I do to fix that, in <code>my_recipe/attributes/default</code>:

<pre><code>set_unless[:super_secure_password] = "test123"
</code></pre>

This means that when my recipe is run outside of scalarium, the password is still available in <code>node[:super_secure_password]</code> and my recipes work and so on. When the recipe is executed in the scalarium context, it will not override what they provide.

blocks|key|2842911|text|目前最广泛使用的方法是使用chef-vault，而且在大多数情况下也足够安全。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2842912|它使用共享密钥来加密您的数据(类似于chef加密的数据库)。此共享密钥为将使用它的每个客户端和/或用户加密(如果您允许使用它)。|2842913|好处：|2842914|2842915|在测试环境中，您可以使用未加密的数据|unordered-list-item|2842916|One不以明文形式存储共享密钥|2842917|One可能只授予少数服务器读写某些数据库标签的访问权限|2842918|2842919|示例|2842920|export+EDITOR=vi+#sets+your+favourite+text+editor+

knife+vault+create+secret_data+john_doe++--admins+"admin"+--search+"*:*"+--mode+client+|code-block|syntax|javascript|2842921|上面的命令在secret_data数据库中创建了一个项目：john_doe，它可以被admin修改并被所有客户端使用。在该命令之后，EDITOR将会打开，这样您就可以输入o粘贴您的秘密数据(在json中)。|offset|length|style|CODE|2842922|搜索查询可以是："role:basic"+-这意味着只有具有basic角色的服务器才能读取此数据knife+vault需要一些额外的安装|2842923|在你的食谱中|2842924|chef_gem+'chef-vault'+do
++++compile_time+true+if+respond_to?(:compile_time)
end

require+'chef-vault'

item+=+ChefVault::Item.load("secret_data",+"john_doe")
item["password"]|2842925|在metadata.rb中：depends+'chef-vault',+'1.3.0'|2842926|更多信息请点击此处：https://blog.chef.io/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/|2842927|这里：https://github.com/chef/chef-vault|2842928|entityMap|0|LINK|mutability|MUTABLE|url|https://blog.chef.io/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/|1|https://github.com/chef/chef-vault^0|0|0|0|0|0|0|0|0|0|0|6|B|T|8|16|5|1U|6|0|8|C|U|5|1C|B|0|0|0|1|B|E|T|0|A|29|0|0|3|Y|1|0^^$0|@$1|2|3|4|5|6|7|1N|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|1O|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|1P|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|1Q|8|@]|9|@]|A|$]]|$1|G|3|H|5|I|7|1R|8|@]|9|@]|A|$]]|$1|J|3|K|5|I|7|1S|8|@]|9|@]|A|$]]|$1|L|3|M|5|I|7|1T|8|@]|9|@]|A|$]]|$1|N|3|-4|5|6|7|1U|8|@]|9|@]|A|$]]|$1|O|3|P|5|6|7|1V|8|@]|9|@]|A|$]]|$1|Q|3|R|5|S|7|1W|8|@]|9|@]|A|$T|U]]|$1|V|3|W|5|6|7|1X|8|@$X|1Y|Y|1Z|Z|10]|$X|20|Y|21|Z|10]|$X|22|Y|23|Z|10]|$X|24|Y|25|Z|10]]|9|@]|A|$]]|$1|11|3|12|5|6|7|26|8|@$X|27|Y|28|Z|10]|$X|29|Y|2A|Z|10]|$X|2B|Y|2C|Z|10]]|9|@]|A|$]]|$1|13|3|14|5|6|7|2D|8|@]|9|@]|A|$]]|$1|15|3|16|5|S|7|2E|8|@]|9|@]|A|$T|U]]|$1|17|3|18|5|6|7|2F|8|@$X|2G|Y|2H|Z|10]|$X|2I|Y|2J|Z|10]]|9|@]|A|$]]|$1|19|3|1A|5|6|7|2K|8|@]|9|@$X|2L|Y|2M|1|2N]]|A|$]]|$1|1B|3|1C|5|6|7|2O|8|@]|9|@$X|2P|Y|2Q|1|2R]]|A|$]]|$1|1D|3|-4|5|6|7|2S|8|@]|9|@]|A|$]]]|1E|$1F|$5|1G|1H|1I|A|$1J|1K]]|1L|$5|1G|1H|1I|A|$1J|1M]]]]

Currently most widely used approach and for most cases secure enough is to use chef-vault. 

It uses shared secret to encrypt your data (similarity to chef-encrypted databag). This shared secret is encrypted for every client and/or user that will use it(if You allow to use it).

Benefits:

<ul>
<li>on test environment you can use unencrypted data</li>
<li>One doesn't store shared secret as a plain text</li>
<li>One may grant access only few out their servers to read and write some databags</li>
</ul>

<h2>Example</h2>

<pre><code>export EDITOR=vi #sets your favourite text editor 

knife vault create secret_data john_doe --admins "admin" --search "*:*" --mode client 
</code></pre>

Command above creates in <code>secret_data</code> databag item: <code>john_doe</code> that can modified by <code>admin</code> and used by all clients. After that command <code>EDITOR</code> will open so you can type o paste your secret data(in json ).

Search query can be: <code>"role:basic"</code> - Which means only servers with role <code>basic</code> can read this data
<code>knife vault</code> need some extra installation

<h3>In Your Cookbook</h3>

<pre><code>chef_gem 'chef-vault' do
 compile_time true if respond_to?(:compile_time)
end

require 'chef-vault'

item = ChefVault::Item.load("secret_data", "john_doe")
item["password"]
</code></pre>

and in <code>metadata.rb</code>:
<code>depends 'chef-vault', '1.3.0'</code>

more info here: <a href="https://blog.chef.io/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/" rel="nofollow">https://blog.chef.io/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/</a>

and here: <a href="https://github.com/chef/chef-vault" rel="nofollow">https://github.com/chef/chef-vault</a>

blocks|key|130140|text|我建议使用IAM角色进行厨师调配|type|unstyled|depth|inlineStyleRanges|entityRanges|data|130141|require+'chef/provisioning/aws_driver'
iam+=+AWS::Core::CredentialProviders::EC2Provider.new
puts+iam.credentials.inspect
with_driver(
++'aws:IAM:eu-west-1',
++:aws_credentials+=>+{+'IAM'+=>+iam.credentials+}
)|code-block|syntax|javascript|130142|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

I would Suggest use IAM role with chef provisioning 

<pre><code>require 'chef/provisioning/aws_driver'
iam = AWS::Core::CredentialProviders::EC2Provider.new
puts iam.credentials.inspect
with_driver(
 'aws:IAM:eu-west-1',
 :aws_credentials =&gt; { 'IAM' =&gt; iam.credentials }
)
</code></pre>

What is the best practice for storing password and API keys with Chef? It's really tempting to store database passwords, AWS api keys, and other sensitive credentials as Chef Server Attributes for use in recipes -- but what about security considerations? What's the best practice for this?

Storing passwords in Chef?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

使用Chef存储密码和API密钥的最佳实践是什么？将数据库密码、AWS api密钥和其他敏感凭证作为Chef Server属性存储在食谱中是非常诱人的--但是安全方面的考虑又如何呢？这方面的最佳实践是什么？

问在Chef中存储密码？
EN

回答 9

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在Chef中存储密码？EN

回答 9

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在Chef中存储密码？
EN