In Chef parlance, databags are global variables saved in JSON format and are stored and accessible on the Chef server. Given that these are indexed and can be searched up along with the fact that they can be encrypted make them ideal candidates to store secrets such as credentials/ssh keys.

Chef provides an easy way to search and fetch databag and databag items from within a recipe:

For ex to fetch a databag called admins, it’s as easy as:

admins = data_bag('admins')

And to fetch databag items:

admins.each do |login|
    admin = data_bag_item('admins', login)
    user_name = admin['id']
    ssh_keys = admin['ssh_keys']
    groups = admin['groups']
end

Unfortunately, the data_bag and data_bag_item helpers are not accessible from within attributes and it seems as of now, the working way is to use Chef::DataBagItem.load method like so:

credentials  = Chef::DataBagItem.load('admins','sathya')