Chef Infra Dynamic Secrets

Suggest Edits

You can define a Chef Infra dynamic secret to allow users to dynamically generate access credentials for a Chef Infra server.

Prerequisites

Create a Dynamic Chef Infra Secret from the CLI

👍

Tip

We recommend using dynamic secrets with Targets. While it saves time for multiple secret-level configurations by not requiring you to provide an inline connection string each time, it is also important for security streamlining. Using a target allows you to rotate credentials without breaking the credential chain for the objects connected to the server used, using inline will force you to go and change the credentials in each individual item instead of just the target.

To create a dynamic Chef Infra secret from the CLI using an existing Chef Infra Target , run the following command: 

akeyless gateway-create-producer-chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--chef-orgs <Chef organizations>

Or using an inline connection string:

akeyless gateway-create-producer-chef \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--chef-orgs <Chef organizations> \
--chef-server-username <Chef server username> \
--chef-server-key <Chef server key> \
--chef-server-url <Chef server URL> \
--skip-ssl <true|false>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the Chef Infra server. The name can include the path to the virtual folder where this target resides.

  • gateway-url: API Gateway URL.

  • chef-orgs: The Chef Infra server organization to which users generated by the dynamic secret should be added.

Inline connection strings

If you don't have a configured Chef Infra Target yet, you can use the command with your Chef connection strings:

  • chef-server-username: The username of the privileged user for connecting to the Chef Infra server to generate credentials.

  • chef-server-key: The access key of the privileged user for connecting to the Chef Infra server to generate credentials.

  • chef-server-url: The URL of the Chef Infra server.

  • skip-ssl: Select this checkbox to disable SSL connections.

You can find the complete list of parameters for this command in the CLI Reference - Dynamic Secrets section.

Fetch a Dynamic Chef Infra Secret value from the CLI

To fetch a dynamic Chef Infra secret value from the CLI, run the following command: 

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic Chef Infra Secret in the Akeyless Console

👍

Tip

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Dynamic Secrets > New > Chef Infra.

  2. Select the Chef Infra secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Target mode: In this section, you can either select an existing Chef Infra Target or specify details of the target Chef Infra server explicitly.

    • Use the Choose an existing target drop-down list to select the existing Chef Infra Target.

    • Select the Explicitly specify target properties option to provide details of the target Chef Infra Server in the next step.

  • Organizations: Provide the Chef Infra server organization to which users generated by this dynamic secret should be added.

  • User TTL: Provide a time-to-live value for a dynamic secret. When TTL expires, dynamic user credentials become obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge

  1. If you selected the Explicitly specify target properties option, click Next.

  2. Provide details of the target Chef Infra server:

  • Server username: Provide the username of the privileged user for connecting to the Chef Infra server to generate credentials.

  • Server key: Provide the access key of the privileged user for connecting to the Chef Infra server to generate credentials.

  • Server URL: Provide the URL of the Chef Infra server.

  • Skip SSL: Select this checkbox to skip SSL verifciation.

  1. Click Finish.

Fetch a Dynamic Chef Infra Secret value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.

Updated 2 months ago