I try to use a wrapper Chef recipe to read Datadog API keys from an encrypted data bag and override node default attribute. My confusion here is with Chef::EncryptedDataBagItem.load method use. I created an encrypted bag with name datadog with an item datadog_keys inside of it. I would like to get api key and app key from inside of this data bag item. So I'm using:
node.default['datadog']['api_key'] = Chef::EncryptedDataBagItem.load("datadog", "api_key")
node.default['datadog']['application_key'] = Chef::EncryptedDataBagItem.load("datadog", "chef")
My question, this usage is it correct or should I use:
Chef::EncryptedDataBagItem.load("datadog_keys", "api_key")
or
Chef::EncryptedDataBagItem.load("datadog::datadog_keys", "api_key")
Neither, you want something like this I think:
api_key = data_bag_item('datadog', 'datadog_keys')['api_key']
^ bag name ^ item name ^ accessing something from the item hash
Also putting the key into node attributes like that is very unsafe and kind of defeats the point of encrypted bags since node attributes are all written back to the Chef Server and so the key will be sent unencrypted.