Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


chef-secrets (13) Versions 0.8.0

Installs/Configures chef-vault with helpers

cookbook 'chef-secrets', '= 0.8.0', :supermarket
cookbook 'chef-secrets', '= 0.8.0'
knife supermarket install chef-secrets
knife supermarket download chef-secrets
Quality 50%

chef-secrets cookbook

This cookbook aims to ease chef-vault interaction by providing additional helpers, and testing the functionality on a Linux and Windows box.

More info about chef-vault:

Usage pattern (with wrapper cookbooks)

Let us say you are using a cookbook that requires you to set a password in an attribute. This attribute is usually set in a wrapper cookbook which includes the original cookbook. By including this cookbook as well, you can set the attribute in the wrapper cookbook's attribute file like this:

secret['cookbook']['password'] = chef_vault_item_or_default('vault', 'item')

This will set the attribute default['cookbook']['password'] to the item from the vault. It will also set the attribute to SECRET at the end of the Chef run, therefore ensuring that the Chef Server will not contain the password in plaintext. If the item in the vault does not exist it will fail.

If you would like to default to a value in a testing environment, you can use the chef_secrets attributes namespace:

default['chef_secrets']['vaultX']['itemY'] = 'fake_secret'
secret['cookbook']['password'] = chef_vault_item('vaultX', 'itemY')

# use it anywhere with node['cookbook']['password']['key']


Accessing many secrets on high latency links can be very long.
chef_vault_item_or_default helper is able to cache for a few hours decrypted value on chef cache.

Call it with chef_vault_item_or_default('vault', 'item', fallback, true).

Cached entry has a TTL set randomly between 1 and 12 hours. This is to avoid refreshing all secrets at the same time (defeating the purpose of having caching).

Secret attributes


Secret attributes are node attributes that are available only during the Chef run, but set to SECRET when saved and uploaded to the Chef Server. These attributes are actually default node attributes set through a helper method, so you may access them as you would access any default node attribute.


Set a secret in cookbook attributes:

secret['cookbook']['password'] = 'SuperSecretPassword'

Read it anywhere like a default node attribute:"This is my password: #{node['cookbook']['password']}")

Note: Please don't accidentally save your secrets in the Chef log file :)

Call stack

When called with this syntax

secret['cookbook']['password'] = 'SuperSecretPassword'

actually calls

chef_secret_attribute_set(['cookbook', 'password'], 'SuperSecretPassword')

which in turn sets

default['cookbook']['password'] = 'SuperSecretPassword'

and will be cleared at the end by

chef_secret_attribute_clear(['cookbook', 'password'])

which sets

default['cookbook']['password'] = 'SECRET'

Additional chef-vault helpers


Get an item from the vault, or default to value if if the vault or item does not exist. If the default value is not specified, it will fail the Chef run.

chef_vault_item_or_default('vault', 'item', 'default') 

Note: A chef-vault item will always be a hash, so it may be better to set the default value to a similar hash as well.


Return true if item is a vault item. Note that unlike ChefVault::Item.vault?, this method returns false if the data bag does not exist.

chef_vault_item_is_vault?('vault', 'item')

Mocking Vault items for testing environment

Vault items are encrypted data-bags, to ease their testing in Test-kitchen and ChefSpec, you can define mock values via the chef_secrets attributes.

default['chef_secrets']['fake']['secret'] = 'password')
secret['user']['password'] = chef_vault_item('fake', 'secret')

For Test-Kitchen it's better to setup the vault attribute in the kitchem.yml.

  name: chef_zero

- name: centos-7

- name: default
  - recipe[XXX]
          user: password

Dependent cookbooks

chef-vault ~> 2.1

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

Collaborator Number Metric

0.8.0 passed this metric

Contributing File Metric

0.8.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Foodcritic Metric

0.8.0 failed this metric

FC066: Ensure chef_version is set in metadata: chef-secrets/metadata.rb:1
FC067: Ensure at least one platform supported in metadata: chef-secrets/metadata.rb:1
Run with Foodcritic Version 14.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric

0.8.0 passed this metric

Testing File Metric

0.8.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

0.8.0 passed this metric