Chef username/passwords best practice for multiple nodes

I've been playing around with Chef to evaluate it as a potential CD tool for the company I work for.

So far I've been using it with Vagrant to provision a VM. In my recipes I've been retrieving the username/password from data bags.

I'm now looking to re-use these recipes across multiple nodes which all have different credentials so pointing to one data bag for credentials is no longer sufficient.

The only way I can see to get around the issue is to store the username and password in the node attributes, however is this best practice/secure?

I've done some googling around this and can't get a clear answer...

Storing sensitive data in attributes is definitely not a good practice. I once used a strategy of a chef-vault per environment (dev,stg,prod), and it worked well. If you use the sensitive data within templates you can set the sensitive property on the template resource to true to keep the password in plain text form from showing up in the run logs and associated template file diffs

We eventually moved to Hashicorp vault, and while it took more time upfront to learn and get up and running, it was definitely a better long term solution for secrets management and automation around managing sensitive data

StackExchange DevOps Q#4324, answer score: 4