Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

The chef-vault cookbook has been deprecated

Author provided reason for deprecation:

The chef-vault cookbook has been deprecated and is no longer being maintained by its authors. Use of the chef-vault cookbook is no longer recommended.


chef-vault (26) Versions 4.0.3

Installs the chef-vault gem and provides chef_vault_item recipe helper

cookbook 'chef-vault', '~> 4.0.3', :supermarket
cookbook 'chef-vault', '~> 4.0.3'
knife supermarket install chef-vault
knife supermarket download chef-vault
Quality 17%

chef-vault Cookbook

Build Status Cookbook Version

This cookbook provides helper methods to load encrypted data bags that are in
The Vault. It also provides a resource that can be used to store secrets as
a Chef Vault item in a recipe.

As of version 4.0 of the cookbook, we no longer install the chef-vault
gem as this is included in chef-client 13.4+.

Chef Vault is a library originally written by Nordstrom's infrastructure
operations team that helps manage encrypted data bags.


This cookbook should work on any system/platform that is supported by
Chef Infra.

This cookbook is specifically tested on Ubuntu and CentOS platforms
using Test Kitchen. See .kitchen.yml for platforms and test suites.

Helper Methods

This cookbook provides a nice helper method for the Chef Recipe DSL so
you can write:

chef_vault_item("secrets", "dbpassword")

Instead of:

ChefVault::Item.load("secrets", "dbpassword")

This has logic in place to fall back to using data bags if the desired item
isn't encrypted. If the vault item fails to load because of missing vault
metadata (a vaultname_keys data bag), then chef_vault_item will attempt to
load the specified item as a regular Data Bag Item with
Chef::DataBagItem.load. This is intended to be used only for testing, and
not as a fall back to avoid issues loading encrypted items.

This cookbook also provides a handy wrapper if you are storing multiple
environment settings within your encrypted items. Using this following
item = chef_vault_item_for_environment('secrets', 'passwords')

Instead of (or any combination of such expression):
item = chef_vault_item('secrets', 'passwords')[node.chef_environment]

In addition, you can list the items in a vault using the chef_vault() method.
It is advised to use this method instead of data_bag(), because the latter
returns the keys in addition to the items themselves. This method prevents you
from having to parse out the keys.
items = chef_vault('secrets')
item = chef_vault_item('secrets',item[0])


  • node['chef-vault']['version'] - Specify a version of the chef-vault gem if required. Default is ~> 2.2, as that version was used for testing.



The chef_vault_secret resource can be used in recipes to store
secrets in Chef Vault items. Where possible and relevant, this
resource attempts to map behavior and functionality to the knife


The actions generally map to the knife vault sub-commands, with an
exception that create does an update, because the resource enforces
declarative state. To get the knife vault create behavior, use

  • :create - Default action. Creates the item, or updates it if it already exists.
  • :create_if_missing - Calls the create action unless it exists.
  • :delete - Deletes the item and the item's keys ("id"_keys).


  • id - Name attribute. The name of the data bag item.
  • data_bag - Required. The data bag that contains the item.
  • admins - A list of admin users who should have access to the item. Corresponds to the "admin" option when using the chef-vault knife plugin. Can be specified as a comma separated string or an array. See examples, below.
  • clients - A search query for the nodes' API clients that should have access to the item.
  • search - Search query that would match the same used for the clients, gets stored as a field in the item.
  • raw_data - The raw data, as a Ruby Hash, that will be stored in the item. See examples, below.

At least one of admins or clients should be specified, otherwise
nothing will have access to the item.


From the test cookbook embedded in this repository.

chef_vault_secret 'clean-energy' do
  data_bag 'green'
  raw_data({'auth' => 'Forged in a mold'})
  admins 'hydroelectric'
  search '*:*'

Assuming that the green data bag exists, this will create the
clean-energy item as a ChefVault encrypted item, which also creates
clean-energy_keys that has the list of admins, clients, and the
shared secrets. For example, the content looks like this in plaintext:

  "id": "clean-energy",
  "auth": {
    "encrypted_data": "y+l7H4okLu4wisryCaIT+7XeAgomcdgFo3v3p6RKWnXvgvimdzjFGMUfdGId\nq+pP\n",
    "iv": "HLr0uyy9BrieTDmS0TbbmA==\n",
    "version": 1,
    "cipher": "aes-256-cbc"

And the encrypted data decrypted using the specified client:

$ knife vault show green clean-energy -z -u hydroelectric -k clients/hydroelectric.pem
auth: Forged in a mold
id:   clean-energy

Another example, showing multiple admins allowed access to an item
using a comma-separated string, or an array:

chef_vault_secret 'root-password' do
  admins 'jtimberman,paulmooring'
  data_bag 'secrets'
  raw_data({'auth' => 'DontUseThisPasswordForRoot'})
  search '*:*'
chef_vault_secret 'root-password' do
  admins ['jtimberman', 'paulmooring']
  data_bag 'secrets'
  raw_data({'auth' => 'DontUseThisPasswordForRoot'})
  search '*:*'

Internally, the provider will convert the admins array to a
comma-delimited string.

When using the chef_vault_secret resource, the data_bag must exist
first. If it doesn't, you can create it in your recipe with a

  ruby_block "create-data_bag-secrets" do
    block do
      databag ='secrets')
    action :create

Or, use the cheffish gem, which provides resources for Chef objects
(nodes, roles, data bags, etc):

chef_data_bag 'secrets'

Note that there is a bug in versions of cheffish prior to 0.5.beta.3.
Also, cheffish requires the openssl-pkcs8 gem, which has C
extensions, so openssl development headers and C build tools need to
be installed. To use this, you can create a recipe like the one in
the [test cookbook](test/fixtures/cookbooks/test/recipes/chef_vault_secret.rb).


Include the recipe before using the Chef Vault library in recipes.

include_recipe 'chef-vault'
secret_stuff = ChefVault::Item.load("secrets", "a_secret")

Or, use the helper library method:

secret_stuff = chef_vault_item("secrets", "a_secret")

If you need a specific version of the chef-vault RubyGem, then
specify it with the attribute, node['chef-vault']['version'].

To use the chef_vault_secret resource in your cookbooks' recipes,
declare a dependency on this cookbook, and then use the resource as
described in the Examples above.


This repository contains a CONTRIBUTING file that describes the
contribution process for Chef cookbooks.

License and Authors

  • Author: Joshua Timberman
  • Copyright (c) 2013-2019 Chef Software, Inc.
  • Copyright (c) 2014, 2015 Bloomberg Finance L.P.

License:: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

an_minimart Applicable Versions
askbot Applicable Versions
awscreds Applicable Versions
azure_pipelines_agent_macos Applicable Versions
cerner_splunk Applicable Versions
certificate Applicable Versions
chef-secrets Applicable Versions
chef-splunk Applicable Versions
chef-splunk-windows Applicable Versions
chef_vault_try_notify Applicable Versions
chef_vault_users Applicable Versions
cobbpass Applicable Versions
cockpit Applicable Versions
consul Applicable Versions
database_application Applicable Versions
django_platform Applicable Versions
drone Applicable Versions
duo-unix Applicable Versions
encrypted_blockdevice Applicable Versions
encrypted_volume Applicable Versions
f5-bigip Applicable Versions
file-vault Applicable Versions
ghost Applicable Versions
git_dwk Applicable Versions
gitlab-vault Applicable Versions
hashicorp-vault Applicable Versions
http_platform Applicable Versions
jenkins-server Applicable Versions
jmccann-docker-host Applicable Versions
lxc-web-panel Applicable Versions
mapr Applicable Versions
msodbcsql Applicable Versions
mw_server_base Applicable Versions
nessus Applicable Versions
netrc Applicable Versions
no-ip Applicable Versions
op5_manage Applicable Versions
opendkim-milter Applicable Versions
opsview Applicable Versions
pacemaker Applicable Versions
paramount Applicable Versions
pbis-open Applicable Versions
percona Applicable Versions
postfix-dovecot Applicable Versions
r1337-certmanage Applicable Versions
rancher-ha Applicable Versions
realmd-sssd Applicable Versions
rotate-passwords Applicable Versions
secrets_management Applicable Versions
snipe-it Applicable Versions
snipeit_api Applicable Versions
ssl-key-vault Applicable Versions
ssl-vault Applicable Versions
sssd_ad Applicable Versions
supermarket Applicable Versions
teampass Applicable Versions
uchiwa Applicable Versions
vsts_agent_macos Applicable Versions


This file is used to list changes made in each version of the chef-vault cookbook.

4.0.3 (2020-08-13)

  • Add resource_name in addition to provides - @tas50

4.0.2 (2020-06-02)

  • Cookstyle fixes including Chef Infra Client 16 compatibility - @xorimabot
    • resolved cookstyle error: resources/secret.rb:3:1 warning: ChefDeprecations/ResourceUsesOnlyResourceName
    • resolved cookstyle error: resources/secret.rb:11:44 refactor: ChefRedundantCode/StringPropertyWithNilDefault

4.0.0 (2020-01-02)

This cookkbook now requires Chef Infra Client 13.4+, which ships with the chef-vault gem out of the box. Since the gem is included out of the box we now skip the gem installation via the cookbook.

3.1.2 (2020-01-02)

This release restores compatibility with Chef releases before 13.x by installing chef-vault gem 3.x and removing the usage of .match? in the helper library. If you're on Chef 12 it is beyond time to upgrade. Chef 12 went EOL April 2018 and includes Ruby 2.3 which went EOL March 2019. Since that time multiple CVEs have come out in Ruby, openSSL, and several other libraries that are used by the chef-client. If you or your business value security then upgrade.

3.1.1 (2018-08-16)

  • Documenting the chef_vault() method
  • Fix Chef14 compatibility for chef_vault_secret resource

3.1.0 (2018-04-29)

  • Remove compat_resource dependency that isn't used anymore
  • Add "any" supports in metadata since this cookbook works on any platform
  • Remove ChefSpec matchers since ChefSpec auto generates these now

3.0.0 (2017-06-02)

  • Convert the LWRP to a custom resource and require Chef 12.9 or later
  • Use a SPDX standard license string
  • Resolve foodcritic warnings
  • Switch testing to local delivery from Rake
  • Update the readme with proper links to the chef-vault project

2.1.1 (2016-10-18)

  • Fixes deletion of items using chef_vault_secret resource

2.1.0 (2016-10-14)

  • Remove chef 11 compatibility in chef_gem usage
  • adding options attribute to the chef_gem resource

2.0.0 (2016-09-16)

  • Avoid deprecation notices
  • Add chef_version metadata
  • Testing updates
  • Require Chef 12.1

v1.3.3 (2016-03-14)

  • Restore Chef 11 compatibility
  • Fix installing chef-vault gems from a custom source
  • Fix uninitialized constant error

v1.3.2 (2015-10-22)

  • Adding Chef 11 guards on provides methods

v1.3.1 (2015-09-30)

  • Refactor of the chef-vault resource, adding environment property
  • Various test fixes

v1.3.0 (2015-04-09)

  • 28, Fixes chef vault item loading and regular data bag fallback
  • 24, Add ability to specify source for chef-vault gem installation

v1.2.5 (2015-03-19)

  • 22, fixes chef_gem compile time usage, also in conjunction with chef-sugar and Chef 11

v1.2.4 (2015-02-18)

  • ripping out the chef_gem compile_time stuff

v1.2.3 (2015-02-18)

  • chef_gem Chef::Resource::ChefGem.method_defined?(:compile_time)

v1.2.2 (2015-02-18)

  • Fixing chef_gemc for Chef below 12.1.0

v1.2.1 (2015-02-17)

  • Being explicit about usage of the chef_gem's compile_time property.
  • Eliminating future deprecation warnings in Chef 12.1.0.

v1.2.0 (2015-02-04)

  • COOK-4672: Make the library helper into a module instead of adding into Chef::Recipe
  • Prevent variable masking
  • Fix inverted existence check for current_resource

v1.1.5 (2014-09-25)

  • Adding ChefVault::Exceptions::SecretDecryption exception handling

v1.1.4 (2014-09-12)

  • Fix loading of current resource in chef_vault_secret (Nathan Huff)
  • Allow chef_vault_item to fall back to plain data bags
  • Set default version of chef-vault gem to one required by libraries

v1.1.2 (2014-06-02)


  • COOK-4591 - resource to create chef-vault-encrypted-items in recipes

v1.1.0 (2014-06-02)

  • [COOK-4591]: add a resource to create chef-vault-encrypted-items in recipes

v1.0.4 (2014-01-14)

  • Provide an fallback to regular data bag item loading when a "development mode" attribute is set.

v1.0.2 (2013-09-10)

  • Add Chef::Recipe helper method (chef_vault_item)

v1.0.0 (2013-09-10)

  • Initial Release

Collaborator Number Metric

4.0.3 failed this metric

Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric

4.0.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Cookstyle Metric

4.0.3 failed this metric

Chef/Correctness/IncorrectLibraryInjection: Libraries should be injected into the Chef::DSL::Recipe class and not Chef::Recipe or Chef::Provider classes directly. ( chef-vault/libraries/helpers.rb: 79
Chef/Correctness/IncorrectLibraryInjection: Libraries should be injected into the Chef::DSL::Recipe class and not Chef::Recipe or Chef::Provider classes directly. ( chef-vault/libraries/helpers.rb: 81
Chef/Deprecations/ResourceWithoutUnifiedTrue: Set `unified_mode true` in Chef Infra Client 15.3+ custom resources to ensure they work correctly in Chef Infra Client 18 (April 2022) when Unified Mode becomes the default. ( chef-vault/resources/secret.rb: 1

Run with Cookstyle Version 7.32.1 with cops Chef/Deprecations,Chef/Correctness,Chef/Sharing,Chef/RedundantCode,Chef/Modernize,Chef/Security,InSpec/Deprecations

No Binaries Metric

4.0.3 passed this metric

Testing File Metric

4.0.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

4.0.3 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must include a tag that matches this cookbook version number