Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms


vlt (4) Versions 0.2.0

Chef helper lib to read secrets from HashiCorp's Vault

cookbook 'vlt', '= 0.2.0'
cookbook 'vlt', '= 0.2.0', :supermarket
knife supermarket install vlt
knife supermarket download vlt
Quality 75%

vlt cookbook

Chef helper lib to read secrets from HashiCorp's Vault


This cookbook provides a set of utilities to obtain secrets stored in Vault's K/V version 2 secret engine. Each Chef node is authenticated with an AppRole method. Credentials are supposed to be stored on a Chef node in a JSON file at /etc/vault.json:

  "address": "https://vault.acme.corp:8200",
  "token": "s.a9fgfdgg....",
  "approle": "database"


vlt =

template '/etc/myapp' do
  source 'myapp.conf.erb'
  templates lazy {
      db_user:'production/app_credentials', prefix: 'postgres', key: 'user'),
      db_password:'production/app_credentials', prefix: 'postgres', key: 'password')

The sample above will do the following: 1. Read credentials stored in etc/vault.json file. 2. Authenticate on the Vault server at <address> using <token> and claim a Vault-defined role <approle>. 3. Read a secret at postgres/data/production/app_credentials and obtain 2 keys, namely user and password, from it.


list secrets

Secrets can be listed within a specific path:

vlt.list('certificate', prefix: 'tls')

The sample above will list secret names at tls/metadata/certificate.

default prefix

One can specify a default prefix in ::Vlt::Client constructor:

vlt =, default_prefix: 'postgres')

exception handling

By default, read and list calls throw an exception if the specified path does not exist or the policy associated with the claimed <approle> provides insufficient permissions. This behaviour may not be suitable for every use case and can be overriden with raise_err option:'certificate/app', prefix: 'tls', raise_err: false)  # returns nil is the secret does not exist

store & obtain credentials

Default ::Vlt::file_auth_provider is a Ruby lambda function which reads JSON at /etc/vault.json and returns a tuple (<address>, <token>, <approle>). One may use their own scheme to store credentials and provide a function to obtain them:

def custom_vault_auth
  lambda do
    # do something to obtain Vault credentials
    return <address>, <token>, <approle>

vlt =


MIT @ Alexander Pyatkin

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.


All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[0.2.0] - 2020-09-28


  • Add ::Vlt::Client.list method.
  • Add README file.

[0.1.1] - 2020-09-25




  • Include chef_version and supports to cookbook metadata.

[0.1.0] - 2020-09-25

First appearance in public.


Collaborator Number Metric

0.2.0 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric

0.2.0 passed this metric

Foodcritic Metric

0.2.0 passed this metric

No Binaries Metric

0.2.0 passed this metric

Publish Metric

0.2.0 passed this metric

Supported Platforms Metric

0.2.0 passed this metric

Testing File Metric

0.2.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

0.2.0 passed this metric