Refresh chef-vaut from a chef provisioner node (using node object)

Question

Is it possible to add a node object as an ADMIN to chef-vault. I was able to add it, but when I tried to refresh the vault item using the node [nithin-desktop.nithinsworld.com] pem key it failed saying Response: missing update permission

$ knife data bag show nithin_test1 db-secrets_keys
WARNING: Unencrypted data bag detected, ignoring any provided secret options.
admins:
  nithin
  nithin-desktop.nithinsworld.com
clients:                         nithin-workstation.nithinsworld.com
id:                              db-secrets_keys
mode:                            default
...
...
...

From nithin-desktop.nithinsworld.com:

sudo knife vault refresh nithin_test1 db-secrets -M client -c /etc/chef/client.rb -V
INFO: Using configuration from /etc/chef/client.rb 
WARN: The default key for nithin-desktop.nithinsworld.com not found in users, trying client keys.
ERROR: You authenticated successfully to https://sandbox.chef.access.nithinsworld.com/organizations/nithins-testing as nithin-desktop.nithinsworld.com but you are not authorized for this action.
Response:  missing update permission

score 0 · Answer 1 · answered Jan 22 '18 at 12:27

0

You need to tweak your ACLs to give the provisioning node write access to the relevant data bag and items. By default, node clients (as opposed to human clients and users) do not get permissions to write to most objects types for security reasons. You can use the knife-acl gem to edit the server ACLs.

answered Jan 22 '18 at 12:27

coderanger

52,400
4
52
75

Tried updating the ACLs, but still the same error while vault refresh. `knife acl add group provisioners data nithin_test1 create,read,update,delete` – nithin sunny Jan 22 '18 at 13:26

Refresh chef-vaut from a chef provisioner node (using node object)

1 Answers1