Creating multiple validator keys in Chef
Sep 9, 2015
300 words
2 minutes read

By default, many folks think that there is one (and only one) validator key for a Chef organization. Which brings up a few issues:

  • If the validator key ever needs to be reset, then everyone who was using that key is screwed.
  • If the validator key is compromised, then it must be reset for everyone.

The good news is that you can have as many validator keys as you want. For example, every user who has the capability of performing knife bootstrap might have their own. Or you might use a different key for your Azure provisioning than for your VMware provisioining, etc. This is a really easy thing to do.

Adding a validator client via knife

knife client create mstratton_validator_test --file mstratton_validator_test.pem --validator

After you do this, your editor will pop open which lets you make changes to the client configuration if you would like. You can use the --disable-editing flag to remove this capability. The --file flag will specify where you would like the private key to be written to.

Adding a validator client via Chef Manage

Log onto your Chef Manage UI. If you use Hosted Chef, the url is

Example image Example image Example image Example image Example image

Note - I have deleted this validator client, so don’t think you’re gonna be slick and hack the private key

It’s that simple! You now have another validation client for your use.

comments powered by Disqus

Back to posts