Instead of using the default recipe from the Mac App Store cookbook, use the resources instead - this way I can use an encrypted databag for the password instead of an attribute.
Changing how I think about this - the latest versions want you to be logged in anyway, so I'm thinking that since chef-client is almost always going to be run interactively it won't matter. Closing for now.
Instead of using the default recipe from the Mac App Store cookbook, use the resources instead - this way I can use an encrypted databag for the password instead of an attribute.