|
|
|
|
|
|
by dustinrcollins
4108 days ago
|
|
|
When using Hosted Chef you can't generate a private key and upload it. You create a user, their system generates your key pair and displays the private key one-time-only for you to store somewhere. A user in Chef can only have one keypair at a time. This is just a limitation of their system we have to work with. It's important to note that the 'user' here in Hosted Chef is not a person, it is an identity in the Chef server that is allowed to upload cookbooks. Its scope is limited to only that. Rotating the deploy user's key when using HostedChef is a 1 step process, using knife and Conjur together ```
knife user reregister "conjurbot" | conjur variable values add hostedchef/conjurbot/private_key
``` The stdout of `knife user reregister` is the private key so you can update the variable in Conjur without even seeing the value. You could run this in a cron job if you wanted. Your CI system responsible for uploading cookbooks will pull the new private key next time it runs. Again, not ideal that Hosted Chef only allows you one keypair per user but we can minimize the threat by rotating the key frequently. |
|
|