In Chef parlance, databags are global variables saved in JSON format and are stored and accessible on the Chef server. Given that these are indexed and can be searched up along with the fact that they can be encrypted make them ideal candidates to store secrets such as credentials/ssh keys.
Chef provides an easy way to search and fetch databag and databag items from within a recipe:
For ex to fetch a databag called admins, it’s as easy as:
admins = data_bag('admins')
And to fetch databag items:
admins.each do |login| admin = data_bag_item('admins', login) user_name = admin['id'] ssh_keys = admin['ssh_keys'] groups = admin['groups'] end
credentials = Chef::DataBagItem.load('admins','sathya')