Skip to main content
The CyberArk Conjur secret provider connects the Orchestrator to CyberArk Conjur, a secrets management solution designed for DevOps, CI/CD pipelines, and containerized environments. Conjur provides machine identity, secrets management, and fine-grained access control through policy-as-code.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the Conjur provider, the Orchestrator authenticates to your Conjur server and retrieves secrets as they are referenced in configuration. Conjur uses its own authentication model based on machine identities and policy definitions, providing granular access control over which hosts and services can access specific secret variables.

Use Cases

  • Existing Conjur deployments — retrieve Orchestrator secrets from an existing Conjur instance without duplicating credentials into another system
  • Policy-as-code access control — manage which Orchestrator instances can access which secrets through Conjur’s policy definitions
  • Centralized credential rotation — rotate secrets in Conjur and pick up new values on Orchestrator restart or config reload

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.

Configuration via Environment Variable

# With credentials in the URL
export MAVERICS_SECRET_PROVIDER="conjur://conjur.example.com/myaccount/host%2Fmaverics?apikey=<api-key>"

# With credentials from Conjur environment variables
export MAVERICS_SECRET_PROVIDER="conjur://conjur.example.com"
The login value may contain / characters (e.g., host/maverics). These must be URL-encoded as %2F in the provider URL.

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "conjur://conjur.example.com/myaccount/host%2Fmaverics?apikey=<api-key>"

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps to the Conjur variable ID:
connectors:
  - name: my-idp
    oauthClientSecret: <maverics/client_secret>

Configuration Reference

URL Structure

conjur://{host}/{account}/{login}?apikey={apikey}

URL Parameters

ParameterRequiredDescription
HostConditionalHostname of the Conjur server (e.g., conjur.example.com). Falls back to Conjur configuration if not specified.
AccountConditionalConjur account name (URL path segment). Falls back to Conjur configuration if not specified.
LoginConditionalConjur login identity (URL path segment, e.g., host%2Fmaverics). Required when apikey is provided.
apikeyNoConjur API key. When provided with login, authenticates using the key pair.

Authentication

The provider first loads the Conjur API configuration from the standard Conjur configuration sources (environment variables, configuration files). If the URL includes a host, account, login, and API key, those values take precedence. When login and apikey are provided in the URL, the provider authenticates directly with those credentials. Otherwise, it falls back to credentials from the Conjur environment (e.g., CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY).

Troubleshooting

Authentication failures when starting the Orchestrator If using URL-based authentication, verify the account, login, and API key are correct in the provider URL. If using environment-based authentication, check that the Conjur environment variables (CONJUR_ACCOUNT, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY) are correctly set. “Forbidden” or “403” when retrieving secrets Confirm that the Conjur policy grants the Orchestrator host identity read and execute permissions on the required secret variables. Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the variable names in Conjur. The namespace and key in <namespace.key> must correspond to the Conjur variable path.