I have a set of configuration recipes in chef 12 of aws opsworks. When I create users on ec2 instances I would like to set the password and provision keys. How can I do this securely without putting plaintext in the chef scripts, which are stored in git?
If you're on AWS you probably want to use some mix of their services for this. Check out the citadel cookbook for my recommended solution but you can also look at things like Confidant or Hashicorp Vault.