Console terminology: In the Maverics Console, Orchestrator instances and
configuration delivery are managed through Deployments. When working directly
with YAML, configuration is managed as files delivered via the
-config flag or
MAVERICS_CONFIG environment variable.Overview
When configured with the Conjur provider, the Orchestrator authenticates to your Conjur server and retrieves secrets as they are referenced in configuration. Conjur uses its own authentication model based on machine identities and policy definitions, providing granular access control over which hosts and services can access specific secret variables.Use Cases
- Existing Conjur deployments — retrieve Orchestrator secrets from an existing Conjur instance without duplicating credentials into another system
- Policy-as-code access control — manage which Orchestrator instances can access which secrets through Conjur’s policy definitions
- Centralized credential rotation — rotate secrets in Conjur and pick up new values on Orchestrator restart or config reload
Configuration
Secret providers are not configured in YAML. They are set via theMAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Configuration via Environment Variable
The login value may contain
/ characters (e.g., host/maverics). These must
be URL-encoded as %2F in the provider URL.Configuration via CLI Flag
Referencing Secrets in YAML
Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps to the Conjur variable ID:Configuration Reference
URL Structure
URL Parameters
| Parameter | Required | Description |
|---|---|---|
| Host | Conditional | Hostname of the Conjur server (e.g., conjur.example.com). Falls back to Conjur configuration if not specified. |
| Account | Conditional | Conjur account name (URL path segment). Falls back to Conjur configuration if not specified. |
| Login | Conditional | Conjur login identity (URL path segment, e.g., host%2Fmaverics). Required when apikey is provided. |
apikey | No | Conjur API key. When provided with login, authenticates using the key pair. |
Authentication
The provider first loads the Conjur API configuration from the standard Conjur configuration sources (environment variables, configuration files). If the URL includes a host, account, login, and API key, those values take precedence. Whenlogin and apikey are provided in the URL, the provider authenticates directly with those credentials. Otherwise, it falls back to credentials from the Conjur environment (e.g., CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY).
Troubleshooting
Authentication failures when starting the Orchestrator If using URL-based authentication, verify the account, login, and API key are correct in the provider URL. If using environment-based authentication, check that the Conjur environment variables (CONJUR_ACCOUNT, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY) are correctly set.
“Forbidden” or “403” when retrieving secrets
Confirm that the Conjur policy grants the Orchestrator host identity read and execute permissions on the required secret variables.
Secrets not resolving in YAML configuration
Ensure the angle bracket syntax matches the variable names in Conjur. The namespace and key in <namespace.key> must correspond to the Conjur variable path.