From 377ba8443e42dcb002158bb489cb504dc67efc18 Mon Sep 17 00:00:00 2001
From: "Marc A. Paradise" <marc.paradise@gmail.com>
Date: Thu, 26 Aug 2021 13:06:09 -0400
Subject: Add support for secrets stored in HashiCorp Vault

Vault secrets are stored as key-value pairs, so the return value
from a secret lookup is always a Hash.

Example:

```
file "/home/user/test1" do
  content secret(name: "secret/example",
                 service: :hashi_vault,
                 config: {
                   vault_addr: "vault.example.com",
                   role_name: "example-role"
                 })[:answer]
end
```
As shown above, we are expecting a hash from Vault, and are populating the file
content based on the value of `:answer` in that hash.

Limitations:

* This iteration only supports instance authentication via a Vault
role connected to an IAM profile.
* This iteration does not support versioned secrets

Signed-off-by: Marc A. Paradise <marc.paradise@gmail.com>
---
 chef.gemspec | 1 +
 1 file changed, 1 insertion(+)

(limited to 'chef.gemspec')

diff --git a/chef.gemspec b/chef.gemspec
index 0f278fff8f..936a9dfd91 100644
--- a/chef.gemspec
+++ b/chef.gemspec
@@ -56,6 +56,7 @@ Gem::Specification.new do |s|
   s.add_dependency "proxifier", "~> 1.0"
 
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"
+  s.add_dependency "vault", "~> 0.16" # hashi vault official client gem
   s.bindir       = "bin"
   s.executables  = %w{ }
 
-- 
cgit v1.2.1