Maverics Orchestrator can retrieve secrets from CyberArk Conjur (both Conjur Secrets Manager Enterprise and Conjur Open Source) using the Conjur REST API.
To load secrets from a Conjur server, set the MAVERICS_SECRET_PROVIDER
environment variable, using the following pattern:
MAVERICS_SECRET_PROVIDER="conjur://"
By default, Maverics will use the Cyberark Conjur environment configuration. For example, Conjur environment variables CONJUR_*
or CONJURRC
file.
To override the Cyberark Conjur environment configuration, account
, hostID
or login
, and apikey
can be specified on the connection string. Ensure the fields are properly URL encoded.
MAVERICS_SECRET_PROVIDER="conjur://<CONJUR_HOST>/<account>/<hostID | login>/?apikey=some-api-key"
Example with a hostID
of host/mycompany/myapp
:
MAVERICS_SECRET_PROVIDER="conjur://secrets.mydomain.com/myConjurAccount/host%2Fmycompany%2Fmyapp/?apikey=some-api-key"
Example with a login
of alice@devops
:
MAVERICS_SECRET_PROVIDER="conjur://secrets.mydomain.com/myConjurAccount/alice%40devops/?apikey=some-api-key"
Permissions
Ensure that the API Key or other method of authentication has the minimal read
permissions to access the secrets referenced in the configuration.
Using secrets in configuration
In maverics.yaml
use the Conjur secret name as placeholder for any secrets or passwords. For example:
connectors:
- name: azure
type: azure
oauthClientID: <apps/clientID>
oauthClientSecret: <mycompany/secret>
# ...
The variable identifiers can also be referenced in the following format:
connectors:
- name: azure
type: azure
oauthClientID: <myConjurAccount:variable:apps/clientID>
oauthClientSecret: <myConjurAccount:variable:mycompany/secret>
# ...