1.12.4.6 The Conjur credential manager

Configuration

Concourse can be configured to pull credentials from a Cyberark Conjur instance.

The ATC is configured with a Conjur host username and api key or session token. If no host username, api key, or session token is provided, Concourse will attempt to use environment variables.

The ATC's configuration specifies the following:

URL of the Conjur instance.

Environment variable CONCOURSE_CONJUR_APPLIANCE_URL.

conjur-account: string

The Conjur account.

Environment variable CONCOURSE_CONJUR_ACCOUNT.

A valid Conjur host username.

Environment variable CONCOURSE_CONJUR_AUTHN_LOGIN.

The api key that corresponds to the Conjur host username.

Environment variable CONCOURSE_CONJUR_AUTHN_API_KEY.

Token file used if Conjur instance is running in k8s or iam.

Environment variable CONCOURSE_CONJUR_AUTHN_TOKEN_FILE.

Cert file used if conjur instance is using a self signed cert.

Environment variable CONCOURSE_CONJUR_CERT_FILE.

The base path used when attempting to locate a pipeline-level secret.

Environment variable CONCOURSE_CONJUR_PIPELINE_SECRET_TEMPLATE.

Example:

Default: concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

The base path used when attempting to locate a team-level secret.

Environment variable CONCOURSE_CONJUR_TEAM_SECRET_TEMPLATE.

Example:

Default: concourse/{{.Team}}/{{.Secret}}

The base path used when attempting to locate a vault or safe level secret.

Environment variable CONCOURSE_CONJUR_SECRET_TEMPLATE.

Example:

Default: vaultName/{{.Secret}}

For example, to launch the ATC and enable Conjur, you may configure:

concourse web ... \
  --conjur-appliance-url https://conjur-master.local \
  --conjur-account conjur \
  --conjur-authn-login host/concourse/dev \
  --conjur-authn-api-key 107eaqz167jkzm2q8wjv4mnyj0z12gfkws9wq9gzsjt29v2sn7yvy

# or use env variables
CONCOURSE_CONJUR_APPLIANCE_URL="https://conjur-master.local" \
CONCOURSE_CONJUR_ACCOUNT="conjur" \
CONCOURSE_CONJUR_AUTHN_LOGIN="host/concourse/dev" \
CONCOURSE_CONJUR_AUTHN_API_KEY="107eaqz167jkzm2q8wjv4mnyj0z12gfkws9wq9gzsjt29v2sn7yvy" \
concourse web ...

Conjur Permissions

The following is an example Conjur policy that can be used to grant permissions to a Conjur host. In this example host/concourse will have permissions to read and update all of the secrets within the TEAM_NAME and PIPELINE_NAME policies.

- !host concourse
- !policy
  id: concourse
  owner: !host concourse
  body:
  - !policy 
    id: TEAM_NAME
    body:
    - !variable team-secret-variable
    - !policy
      id: PIPELINE_NAME
      body:
      - !variable pipeline-secret-variable

Note that the TEAM_NAME and PIPELINE_NAME text above should be replaced to fit your Concourse setup.

For more information on how to create and load Conjur policies, review the official documentation.

Credential Lookup Rules

When resolving a parameter such as ((foo_param)), Concourse will look in the following paths, in order:

  • concourse/TEAM_NAME/PIPELINE_NAME/foo_param
  • concourse/TEAM_NAME/foo_param
  • vaultName/foo_param

The leading concourse can be changed by specifying --conjur-pipeline-secret-template or --conjur-team-secret-template variables.

The leading vaultName can be changed by specifying --conjur-secret-template variable.