--ADMINS option must be declared as mandatory when creating vault item about chef-vault HOT 6 CLOSED

tl;dr: the client key you're using in your knife config HAS to be listed as a client (matched with the -S search parameter) OR an admin to be able to modify the data bag item. You can create a vault item and then not be able to modify or even view it if you aren't listed as a client or admin for that vault item. That is how this tool functions and is designed.

More information is below.

I can assure you that the admins parameter is NOT required.

I just tested the scenario you're describing.

void is my workstation with knife client 'eklein'
client1 is another workstation with knife client 'client1'

void$ knife vault create eklein foo '{ "foo": "bar" }' -S 'name:client1'

When logged into the host that corresponds to client1, I ran:

client1$ knife vault show eklein foo -p all -Fj
{
  "id": "foo",
  "foo": "bar",
  "search_query": "name:client1",
  "admins": [

  ],
  "clients": [
    "client1"
  ]
}

I then edited the databag and changed bar to bar1 via:

client1$ knife vault edit eklein foo

It succeeded, giving this data output:

client1$ knife vault show eklein foo -p all -Fj
{
  "id": "foo",
  "foo": "bar1",
  "search_query": "name:client1",
  "admins": [

  ],
  "clients": [
    "client1"
  ]
}

I can also run knife vault update:

client1$ knife vault update eklein foo '{ "bar": "foo" }'
client1$ knife vault show eklein foo -p all -Fj
{
  "id": "foo",
  "foo": "bar1",
  "bar": "foo",
  "search_query": "name:client1",
  "admins": [

  ],
  "clients": [
    "client1"
  ]
}

Please note admins is empty.

If I try to view this data as my own username (or anyone else who isn't listed as a client or admin), it fails like this:

void$ knife vault show eklein foo -Fj
ERROR: ChefVault::Exceptions::SecretDecryption: eklein/foo is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!

from chef-vault.

This error is due to the fact that the key you're using isn't authorized as a client or an admin to access this chef-vault databag. Doesn't necessarily indicate that you need to specify an admin.

from chef-vault.

I totally understand!

Reason I raised this issue is that I want --ADMINS to mandatory param so that "knife vault create" throws an error if you don't provide --ADMINS

Sent from my iPhone

On 30 Jan 2014, at 10:54, Eli Klein [email protected] wrote:

This error is due to the fact that the key you're using isn't authorized as a client or an admin to access this chef-vault databag.

—
Reply to this email directly or view it on GitHub.

from chef-vault.

Thanks mate for explanation. I got it now.

The missing link was that I thought I needed to add the 'client' as --ADMINS value in addition to -S option to be able to manage it from client. Now I got it that if you don't have --ADMINS you can still manage it from client as long as client is provided as -S option.

from chef-vault.

Awesome, very happy to have helped!

from chef-vault.

I added a comment to #84
The command line for admin shouldn't be mandatory, it should just happen behind the scenes.

Your example is correct and it's still possible to get access, but I think it's not the expected thing.
It would be nice to lower the barrier of entry for this and just ensure the person who created the vault automatically has access to it.

from chef-vault.