Secrets management

[AnkurMundhra]

What we want:

• Protect sensitive information across Automate (similar to what we have done with LDAP in config.toml) - configuration files, secret storage places, etc.
• Obfuscate Chef Infra Server details in Automate in a centralized way (can refer to chef_secrets)
• Explore integration possibility with centralized secret management system, like HashiCorp Vault
• Store AWS/GCP/public cloud related credentials in Vault.
• Explore integration possibility with Chef Vault: https://docs.chef.io/workstation/chef\_vault/
• Encrypted key storage of private keys

Existing issues: Need to close them

• https://github.com/chef/customer-bugs/issues/283|ZD 26612 - Chef Automate LDAP config file contains password in open text #283

-|-

Aha! Link: https://chef.aha.io/epics/AUTO-E-10

[trickyearlobe]

Not sure if it's what you meant above with Store AWS/GCP/public cloud related credentials in Vault but in addition to considering Hashicorp Vault, we should consider the cloud native secrets management. It would be great to store secrets in AWS Secrets Manager or Azure KeyVault, and then use the native IAM functionality to grant access to the A2 VM's that need the secrets. That way, it's super simple to kill a broken VM and spin up a new one to replace it or do autoscaling for A2 cluster.

My view is that Chef Vault is not something we want to encourage people to use for secrets management at scale.