CyberArk Conjur

CyberArk Conjur (uses identifier conjur, since it is powered by Conjur OpenSource Suite) populates credentials from an external Conjur service.

Secretless Broker configuration

The Secretless Broker must be configured to work with Conjur. Secretless currently supports several authentication methods (activating the first non-empty method in this order):

  • CONJUR_AUTHN_TOKEN_FILE environment variable

  • CONJUR_AUTHN_LOGIN and CONJUR_AUTHN_API_KEY environment variables

  • Conjur Kubernetes authenticator-based authentication

    In this mode, Secretless behaves as an authn-k8s-client and retrieves a machine identity through orchestrator-facilitated attestation that requires:

    • CONJUR_AUTHN_URL environment variable (which contains authn-k8s).

    • The same configuration environment variables as authn-k8s-client.

    See the Conjur documentation for additional information on configuration.

All methods also require CONJUR_APPLIANCE_URL and CONJUR_ACCOUNT to be set in the environment of the Secretless Broker. You may optionally also include any other configuration environment variables that are allowed by the Conjur Go Client Library.

 

When deploying applications to Kubernetes or OpenShift, the Kubernetes authenticator method of authenticating to Conjur is recommended.

Example

 


version: "2"
services:
  postgres-sample:
    connector: pg
    listenOn: tcp://0.0.0.0:5432
    credentials:
      host:
        from: conjur
        get: pg-sample/host
      port:
        from: conjur
        get: pg-sample/port
      password:
        from: conjur
        get: pg-sample/password
      username:
        from: conjur
        get: pg-sample/username

See also

Troubleshoot Secret Providers (Secretless)