> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CyberArk Conjur

The CyberArk Conjur secret provider connects the Orchestrator to [CyberArk Conjur](https://www.conjur.org/), a secrets management solution designed for DevOps, CI/CD pipelines, and containerized environments. Conjur provides machine identity, secrets management, and fine-grained access control through policy-as-code.

<Note>
  **Console terminology:** In the Maverics Console, Orchestrator instances and
  configuration delivery are managed through **Deployments**. When working directly
  with YAML, configuration is managed as files delivered via the `-config` flag or
  `MAVERICS_CONFIG` environment variable.
</Note>

## Overview

When configured with the Conjur provider, the Orchestrator authenticates to your Conjur server and retrieves secrets as they are referenced in configuration. Conjur uses its own authentication model based on machine identities and policy definitions, providing granular access control over which hosts and services can access specific secret variables.

## Use Cases

* **Existing Conjur deployments** -- retrieve Orchestrator secrets from an existing Conjur instance without duplicating credentials into another system
* **Policy-as-code access control** -- manage which Orchestrator instances can access which secrets through Conjur's policy definitions
* **Centralized credential rotation** -- rotate secrets in Conjur and pick up new values on Orchestrator restart or config reload

## Configuration

Secret providers are not configured in YAML. They are set via the `MAVERICS_SECRET_PROVIDER` environment variable or the `-secretProvider` CLI flag.

### Configuration via Environment Variable

```bash theme={null}
# With credentials in the URL
export MAVERICS_SECRET_PROVIDER="conjur://conjur.example.com/myaccount/host%2Fmaverics?apikey=<api-key>"

# With credentials from Conjur environment variables
export MAVERICS_SECRET_PROVIDER="conjur://conjur.example.com"
```

<Note>
  The login value may contain `/` characters (e.g., `host/maverics`). These must
  be URL-encoded as `%2F` in the provider URL.
</Note>

### Configuration via CLI Flag

```bash theme={null}
maverics -config maverics.yaml -secretProvider "conjur://conjur.example.com/myaccount/host%2Fmaverics?apikey=<api-key>"
```

### Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps to the Conjur variable ID:

```yaml theme={null}
connectors:
  - name: my-idp
    oauthClientSecret: <maverics/client_secret>
```

## Configuration Reference

### URL Structure

```
conjur://{host}/{account}/{login}?apikey={apikey}
```

### URL Parameters

| Parameter | Required    | Description                                                                                                      |
| --------- | ----------- | ---------------------------------------------------------------------------------------------------------------- |
| Host      | Conditional | Hostname of the Conjur server (e.g., `conjur.example.com`). Falls back to Conjur configuration if not specified. |
| Account   | Conditional | Conjur account name (URL path segment). Falls back to Conjur configuration if not specified.                     |
| Login     | Conditional | Conjur login identity (URL path segment, e.g., `host%2Fmaverics`). Required when `apikey` is provided.           |
| `apikey`  | No          | Conjur API key. When provided with login, authenticates using the key pair.                                      |

### Authentication

The provider first loads the Conjur API configuration from the standard Conjur configuration sources (environment variables, configuration files). If the URL includes a host, account, login, and API key, those values take precedence.

When `login` and `apikey` are provided in the URL, the provider authenticates directly with those credentials. Otherwise, it falls back to credentials from the Conjur environment (e.g., `CONJUR_AUTHN_LOGIN`, `CONJUR_AUTHN_API_KEY`).

## Troubleshooting

**Authentication failures when starting the Orchestrator**
If using URL-based authentication, verify the account, login, and API key are correct in the provider URL. If using environment-based authentication, check that the Conjur environment variables (`CONJUR_ACCOUNT`, `CONJUR_AUTHN_LOGIN`, `CONJUR_AUTHN_API_KEY`) are correctly set.

**"Forbidden" or "403" when retrieving secrets**
Confirm that the Conjur policy grants the Orchestrator host identity `read` and `execute` permissions on the required secret variables.

**Secrets not resolving in YAML configuration**
Ensure the angle bracket syntax matches the variable names in Conjur. The namespace and key in `<namespace.key>` must correspond to the Conjur variable path.

## Related Pages

<CardGroup cols={2}>
  <Card title="Secret Providers" icon="vault" href="/reference/orchestrator/configuration/secret-providers">
    Overview of all secret providers
  </Card>

  <Card title="CyberArk CCP" icon="key" href="/reference/orchestrator/configuration/secret-providers/cyberark-ccp">
    CyberArk Central Credential Provider
  </Card>
</CardGroup>
