chef-vault not creating vaults but creating simple data bags

[ghost]

I am trying to create a chef-vault to store some password using below command:

knife vault create revsecrets revpass -A "rev-validator,node1,node2,node3" -J data_bags/revpass.json -M client

Where revpass.json contains:

{ "oracle_pass":"welcome1", "ora_db_passwd":"Welcome1", "weblogic_pass":"welcome1"}

I have 3 clients :

#knife client list
node1
node2
node3
rev-validator

But Now while trying to access the vault, its saying no vault:

# knife vault list

Returns nothing.

And :

Trying to refresh : (says vault doesnot exists)

# knife vault refresh revsecrets revpass
ERROR: ChefVault::Exceptions::ItemNotFound: revsecrets/revpass does not exist, use 'knife vault create' to create.

Trying to recreate :(saying already exists)

# knife vault create revsecrets revpass -A "rev-validator,node1,node2,node3" -J data_bags/revpass.json -M client
ERROR: ChefVault::Exceptions::ItemAlreadyExists: revsecrets/revpass already exists, use 'knife vault remove' 'knife vault update' or 'knife vault edit' to make changes.

I am not able to figure out, what is the issue here OR may be a bug ?

Versions:

ruby --version
ruby 1.8.7 (2013-06-27 patchlevel 374) [x86_64-linux]
knife --version
Chef: 12.4.1
/opt/chef/embedded/bin/gem list chef-vault

*** LOCAL GEMS ***

chef-vault (2.9.0)

[thommay]

So you seem to be using -M client in some commands but not in others. If you use it consistently, does the problem go away?
Also, you're using a really old version of chef; we've fixed a lot of bugs since 12.4, so if you can upgrade you should.

[powellchristoph]

I am experiencing this problem myself.

[thommay]

@powellchristoph same questions to you - are you using -M client, what version of chef, chef-vault, etc. And some output of your knife commands would help.

[powellchristoph]

I am not using the -M client command.

$ knife --version
Chef: 12.7.2
$ gem list | grep vault
chef-vault (2.9.0)
$ ruby --version
ruby 2.1.1p76 (2014-02-24 revision 45161) [x86_64-darwin12.0]

[thommay]

@powellchristoph so what is actually happening, are you expecting vaults on a chef server or locally?

[xamebax]

This issue is still open, so I decided to share what worked for me. Colleague had the same problem (without using the -M flag). Uploading the vault files to the chef server using $ knife upload data_bags/$VAULT_NAME fixed the issue: the item showed when calling $ knife vault list and was accessible afterwards. Although, I'm a bit confused as to why it seems necessary to additionally upload the files to the server if the vault item was created using the command line.

[kenmacleod]

I ran into this issue and realized I didn't have knife[:vault_mode = 'client'. The confusing behavior is that it "works" (as client) without -J but with -J it needs the vault mode to set to 'client'.

[raju-divakaran]

This used to work without mentioning the vault_mode in knife.rb, like a week back or so.

The version I am using is

$ chef --version Chef Development Kit Version: 1.2.22 chef-client version: 12.18.31 delivery version: master (0b746cafed65a9ea1a79de3cc546e7922de9187c) berks version: 2017-08-08T14:45:55.613056 52781] 2017-08-08T14:45:55.613410 52781] 2017-08-08T14:45:55.613531 52781] 2017-08-08T14:45:55.613677 52781] 2017-08-08T14:45:55.644053 52781] 2017-08-08T14:45:55.644183 52781] 5.6.0 kitchen version: 1.15.0

$ knife --version Chef: 12.18.31

Thanks for the suggestion @kenmacleod it works after mentioning vault_mode.

[mcaulifn]

I am having the same issue. Vaults are created as separate data bags.

PS C:\chef-repo>knife vault create auth bind_data -J .\ad_auth.json -A nmcauliffe -M client
PS C:\chef-repo>knife vault list

PS C:\chef-repo> knife data bag list 
auth
PS C:\chef-repo> knife data bag show auth
bind_data
bind_data_keys
PS C:\> knife data bag show auth bind_data
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.
ad_domain:
  auth_tag:       J+kC5gBhgE4BN6BDFoRISQ==

  cipher:         aes-256-gcm
  encrypted_data: xxx

  iv:             qFi50lg/5txPef+S

  version:        3
ad_server:
  auth_tag:       XWI5sQr60Zva6lXMAEQs7w==

  cipher:         aes-256-gcm
  encrypted_data: xxx

  iv:             8vJw7PRlvUMAU0jq

  version:        3
bindName:
  auth_tag:       zeCbMaVT0g3tL8kYZrBGbg==

  cipher:         aes-256-gcm
  encrypted_data: xxx
  zap1Z8o4sA==

  iv:             utyE8ms0t9JswOM1

  version:        3
bindPassword:
  auth_tag:       ah473Xs1mmOghZsrGHIPjw==

  cipher:         aes-256-gcm
  encrypted_data: xxx

  iv:             H8E/vSSfqXV00UD3

  version:        3
id:           bind_data

PS C:\chef-repo> chef --version
Chef Development Kit Version: 2.4.17
chef-client version: 13.6.4
delivery version: master (73ebb72a6c42b3d2ff5370c476be800fee7e5427)
berks version: 6.3.1
kitchen version: 1.19.2
inspec version: 1.45.13

[mcaulifn]

Scratch my comment, Found out the hard way -M has to be on every knife command.