'Chef Vault Item was not encrypted with your public key
Trying to store encrypted credentials for user creation Chef Vault and then deploy the cookbook to the node I want the user created on.
Using Chef version 12.13.37
Using chef-vault cookbook 2.1.1
Initially created the vault with
knife vault create ftp users \ '{"user":"password"}' \ --search 'name:my_node_name' \ --admins bk0155 \ --mode client
Output of knife vault show ftp users gives
id: users
user: password
My recipe has this in it:
include_recipe 'chef-vault'
vault = ChefVault::Item.load("ftp", "users")
user 'testuser' do
comment 'Test User Account'
home '/home/testuser'
shell '/sbin/bash'
group 'testusers'
password vault['user']
end
And the error I'm getting is
ChefVault::Exceptions::SecretDecryption
---------------------------------------
ftp/users is not encrypted with your public key. Contact an administrator of the vault item to encrypt for you!
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/ftp_test/recipes/default.rb:10:in
`from_file'
/var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:347:in `load_recipe'
Relevant File Content:
----------------------
/var/chef/cache/cookbooks/ftp_test/recipes/default.rb:
3: # Recipe:: default
4: #
5: # Copyright:: 2017, The Authors, All Rights Reserved.
6: #
7:
8: include_recipe 'chef-vault'
9:
10>> vault = ChefVault::Item.load("ftp", "users")
11:
I've tried doing
knife update ftp users -S 'name:my_node_name' -M client to update but that doesn't seem to help
Doing a knife data bag show ftp users_keys gives:
WARNING: Unencrypted data bag detected, ignoring any provided secret options.
admins:
bk0155
my_node_name
my_node_name: fqkwg0098mpbDiJKFCsBEoMLiyN0kZLksiZpWwoxepr6lUgBMFGkJvSpkoGf
3ZwZt8PG2keNe9RYQ93rvgRBKGhLwP46lvDMLO78CEBPfSV5S2mYoe7B7mBb
NFhHPmWkXX2IhaL6TkLvvjATVqBEuUbeqtDb7HO5XOSTuBHacovQxEJerHmA
dXWBsPgs/GPnsu8xK3BNLHjvyVJ3ovaYkvCTxdFTWvDfb8184jC9rJX882Op
XCeGhZ3I5BPXDmNi5XW7EAPgjtbqgxIGPZwYHrrEcZji4TMKxnc6O5+9rPB/
/j4mM/QEL5zGtTeeluzmX+wSE605p9KwGAqsLpUn/g==
clients: my_node_name
id: users_keys
bk0155: mDsML41veFJclX0yXVMqYGvW52uRnZRtQTrRl1XTddgUJc0N9RR1qnyk0gxC
07jKkN+AsdkFuMoOGr7UcUCo/1MEsL125CvsSevOGOF9QMvUk67xw8Q+OlP0
4vqmvJNyaxeXxVV7FOVJSTC2ytovStD2WaSshZutNhG+EgIZ0zSOivHHryW+
aFyClqjVIA3Sm7ITuEyheqBJZZntpHhK1a4Gwk1V3T9aJZ3OT5vvFtNzppnx
CerZvQjPdthwmrqbKfMmYG3KmsPUPEMsAHxK8ryw8Sntu/MYechWzUTGYDii
gcuhehwUCgb+6LAM66ygiIqxcpZ3qg2ddcSUbo5V0g==
search_query: name:my_node_name
I have also tried knife vault rotate keys and am still getting the same error.
Solution 1:[1]
If by any chance your node key changed, you should run knife vault refresh ftp users_keys, with -M client if you do not set this in knife.rb. If it does not work, try dropping the whole vault and creating it from scratch, but refresh should be sufficient.
update is for updating the content of the vault, rotate is for rotating shared key not client's keys.
Solution 2:[2]
First delete the credentials using
knife data bag show VAULT ITEM_keys [--user=USER]
# keep track of --admins
knife data bag delete VAULT ITEM_keys [-C CLIENT] [--user=USER] -y
knife data bag delete VAULT ITEM [-C CLIENT] [--user=USER] -y
Now you are good to create however you may want to supply [--admins=]
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Szymon Szypulski |
| Solution 2 | Elijah |