This collection contains components to be used with CyberArk Conjur & DAP (Dynamic Access Provider) hosted in Ansible Galaxy.
- An instance of CyberArk Conjur Open Source v1.x+ or CyberArk Dynamic Access Provider v10.x+ accessible from the target node
- Ansible >= 2.9
From terminal, run the following command:
ansible-galaxy collection install cyberark.conjurNOTE: This role is currently not available in releases installed through Ansible Galaxy, but will be added in the next release. Follow issue #30 for updates.
This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that identity, secrets can then be retrieved securely using the Conjur Lookup Plugin or using the Summon tool (installed on hosts with identities created by this role).
The Conjur role provides a method to establish the Conjur identity of a remote node with Ansible. The node can then be granted least-privilege access to retrieve the secrets it needs in a secure manner.
conjur_appliance_url(Optional): URL of the running Conjur serviceconjur_account(Optional): Conjur account nameconjur_host_factory_token(Optional): Host Factory token for layer enrollment. This should be specified in the environment on the Ansible controlling host.conjur_host_name(Optional): Name of the host to be created.conjur_ssl_certificate: Public SSL certificate of the Conjur endpointconjur_validate_certs: Boolean value to indicate if the Conjur endpoint should validate certificatessummon.version: version of Summon to install. Default is0.8.2.summon_conjur.version: version of Summon-Conjur provider to install. Default is0.5.3.
The variables marked with (Optional) are not required fields. All other variables are required
for running with an HTTPS Conjur endpoint.
Configure a remote node with a Conjur identity and Summon:
- hosts: servers
roles:
- role: cyberark.conjur.conjur-host-identity
conjur_appliance_url: 'https://conjur.myorg.com/api',
conjur_account: 'myorg',
conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}",
conjur_host_name: "{{inventory_hostname}}"This example:
- Registers the host
{{ inventory_hostname }}with Conjur, adding it into the Conjur policy layer defined for the provided host factory token. - Installs Summon with the Summon Conjur provider for secret retrieval from Conjur.
With Summon installed, using Conjur with a Service Manager (like systemd) becomes a snap. Here's a
simple example of a systemd file connecting to Conjur:
[Unit]
Description=DemoApp
After=network-online.target
[Service]
User=DemoUser
#Environment=CONJUR_MAJOR_VERSION=4
ExecStart=/usr/local/bin/summon --yaml 'DB_PASSWORD: !var staging/demoapp/database/password' /usr/local/bin/myappNote: When connecting to Conjur 4 (Conjur Enterprise), Summon requires the environment variable
CONJUR_MAJOR_VERSIONset to4. You can provide it by uncommenting the relevant line above.
The above example uses Summon to retrieve the password stored in staging/myapp/database/password,
set it to an environment variable DB_PASSWORD, and provide it to the demo application process.
Using Summon, the secret is kept off disk. If the service is restarted, Summon retrieves the
password as the application is started.
-
Add
no_log: trueto each play that uses sensitive data, otherwise that data can be printed to the logs. -
Set the Ansible files to minimum permissions. Ansible uses the permissions of the user that runs it.
Fetch credentials from CyberArk Conjur using the controlling host's Conjur identity or environment variables.
The controlling host running Ansible must have a Conjur identity, provided for example by the ConjurAnsible role.
The following environment variables will be used by the lookup plugin to authenticate with the Conjur host, if they are present on the system running the lookup plugin.
CONJUR_ACCOUNT: The Conjur account nameCONJUR_APPLIANCE_URL: URL of the running Conjur serviceCONJUR_CERT_FILE: Path to the Conjur certificate fileCONJUR_AUTHN_LOGIN: A valid Conjur host usernameCONJUR_AUTHN_API_KEY: The api key that corresponds to the Conjur host usernameCONJUR_AUTHN_TOKEN_FILE: Path to a file containing a valid Conjur auth token
None.
---
- hosts: localhost
tasks:
- name: Lookup variable in Conjur
debug:
msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}"We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.
Copyright (c) 2020 CyberArk Software Ltd. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
For the full license text see LICENSE.