How can we improve Chef?

Add an ability to temporarily suspend organization and client keys

The use case is primarily on hosted.

There are times when we want to "suspend" an organization or client key similar to how AWS allows you to deactive an access/secret key pair.

The idea is to be able to create a new key, use the new key while you rotate through your infrastructure but still allow for the existing key to be used.

Finally you can 'deactivate' the old key but it still exists (and see if stuff breaks).

After a burn-in period then you can delete the old key.

This helps if you want to rotate the key but need to gracefully rotate it throughout your infrastructure.

2 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    JM OngJM Ong shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Megan GleasonAdminMegan Gleason (Director of Product, Chef Software) commented  ·   ·  Flag as inappropriate

        Thank you for the feedback, and sorry for the delayed response. With multi-key support this is currently possible. You can issue a new set of keys for all clients and users via the API (no direct tooling exists, but a knife script could do it).

        You can also set expiration dates on keys so that they are not accepted beyond a specific date. This would meet the other part of this - setting a key to be expired would effectively disable it while keeping it in the system.

      Feedback and Knowledge Base