CyberArk Conjur

Prev Next

Maverics Orchestrator can retrieve secrets from CyberArk Conjur (both Conjur Secrets Manager Enterprise and Conjur Open Source) using the Conjur REST API.

To load secrets from a Conjur server, set the MAVERICS_SECRET_PROVIDER environment variable, using the following pattern:

MAVERICS_SECRET_PROVIDER="conjur://"

By default, Maverics will use the Cyberark Conjur environment configuration. For example, Conjur environment variables CONJUR_* or CONJURRC file.

To override the Cyberark Conjur environment configuration, account, hostID or login, and apikey can be specified on the connection string. Ensure the fields are properly URL encoded.

MAVERICS_SECRET_PROVIDER="conjur://<CONJUR_HOST>/<account>/<hostID | login>/?apikey=some-api-key"

Example with a hostID of host/mycompany/myapp:

MAVERICS_SECRET_PROVIDER="conjur://secrets.mydomain.com/myConjurAccount/host%2Fmycompany%2Fmyapp/?apikey=some-api-key"

Example with a login of alice@devops:

MAVERICS_SECRET_PROVIDER="conjur://secrets.mydomain.com/myConjurAccount/alice%40devops/?apikey=some-api-key"

Permissions

Ensure that the API Key or other method of authentication has the minimal read permissions to access the secrets referenced in the configuration.

Using secrets in configuration

In maverics.yaml use the Conjur secret name as placeholder for any secrets or passwords. For example:

connectors:
   - name: azure
     type: azure
     oauthClientID: <apps/clientID>
     oauthClientSecret: <mycompany/secret>
     # ...

The variable identifiers can also be referenced in the following format:

connectors:
  - name: azure
    type: azure
    oauthClientID: <myConjurAccount:variable:apps/clientID>
    oauthClientSecret: <myConjurAccount:variable:mycompany/secret>
    # ...