Skip to main content
The CyberArk Conjur secret provider connects the Orchestrator to CyberArk Conjur, a secrets management solution designed for DevOps, CI/CD pipelines, and containerized environments. Conjur provides machine identity, secrets management, and fine-grained access control through policy-as-code.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the Conjur provider, the Orchestrator authenticates to your Conjur server and retrieves secrets as they are referenced in configuration. Conjur uses its own authentication model based on machine identities and policy definitions, providing granular access control over which hosts and services can access specific secret variables.

Use Cases

  • DevOps secrets management — manage Orchestrator secrets alongside other application secrets in Conjur with policy-as-code access control
  • Container-native deployments — integrate with Conjur’s Kubernetes authenticator for automated identity and secret injection in containerized Orchestrator deployments
  • CI/CD pipeline secrets — retrieve build-time and deployment-time secrets from Conjur during automated deployments

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Configuration via Environment Variable

export MAVERICS_SECRET_PROVIDER="conjur://conjur.example.com"

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "conjur://conjur.example.com"

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax: 
connectors:
  - name: my-idp
    oauthClientSecret: <maverics.client_secret>

Configuration Reference

URL Structure

conjur://{conjur-server-address}

URL Parameters

ParameterRequiredDescription
Server addressYesHostname of the Conjur server (e.g., conjur.example.com)
Conjur uses its own authentication model. Ensure the Orchestrator host is enrolled as a Conjur identity with access to the required secret variables. Authentication is typically configured via the Conjur CLI or environment variables on the host (CONJUR_ACCOUNT, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY).

Troubleshooting

Authentication failures when starting the Orchestrator Verify the Conjur host identity is enrolled and has a valid API key. Check that the CONJUR_ACCOUNT and CONJUR_AUTHN_LOGIN environment variables are correctly set on the host. “Forbidden” or “403” when retrieving secrets Confirm that the Conjur policy grants the Orchestrator host identity read and execute permissions on the required secret variables. Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the variable names in Conjur. The namespace and key in <namespace.key> must correspond to the Conjur variable path.

Secret Providers

Overview of all secret providers

CyberArk CCP

CyberArk Central Credential Provider