1.15.4.6 The Conjur credential manager
Configuration
Concourse can be configured to pull credentials from a Cyberark Conjur instance.
The ATC is configured with a Conjur host username and api key or session token. If no host username, api key, or session token is provided, Concourse will attempt to use environment variables.
The ATC's configuration specifies the following:
conjur-appliance-url: string
URL of the Conjur instance.
Environment variable CONCOURSE_CONJUR_APPLIANCE_URL.
conjur-account: string
The Conjur account.
Environment variable CONCOURSE_CONJUR_ACCOUNT.
conjur-authn-login: string
A valid Conjur host username.
Environment variable CONCOURSE_CONJUR_AUTHN_LOGIN.
conjur-authn-api-key: string
The api key that corresponds to the Conjur host username.
Environment variable CONCOURSE_CONJUR_AUTHN_API_KEY.
conjur-authn-token-file: string
Token file used if Conjur instance is running in k8s or iam.
Environment variable CONCOURSE_CONJUR_AUTHN_TOKEN_FILE.
conjur-cert-file: string
Cert file used if conjur instance is using a self signed cert.
Environment variable CONCOURSE_CONJUR_CERT_FILE.
conjur-pipeline-secret-template: string
The base path used when attempting to locate a pipeline-level secret.
Environment variable CONCOURSE_CONJUR_PIPELINE_SECRET_TEMPLATE.
Example:
Default: concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
conjur-team-secret-template: string
The base path used when attempting to locate a team-level secret.
Environment variable CONCOURSE_CONJUR_TEAM_SECRET_TEMPLATE.
Example:
Default: concourse/{{.Team}}/{{.Secret}}
conjur-secret-template: string
The base path used when attempting to locate a vault or safe level secret.
Environment variable CONCOURSE_CONJUR_SECRET_TEMPLATE.
Example:
Default: vaultName/{{.Secret}}
For example, to launch the ATC and enable Conjur, you may configure:
concourse web ... \
--conjur-appliance-url https://conjur-master.local \
--conjur-account conjur \
--conjur-authn-login host/concourse/dev \
--conjur-authn-api-key 107eaqz167jkzm2q8wjv4mnyj0z12gfkws9wq9gzsjt29v2sn7yvy
# or use env variables
CONCOURSE_CONJUR_APPLIANCE_URL="https://conjur-master.local" \
CONCOURSE_CONJUR_ACCOUNT="conjur" \
CONCOURSE_CONJUR_AUTHN_LOGIN="host/concourse/dev" \
CONCOURSE_CONJUR_AUTHN_API_KEY="107eaqz167jkzm2q8wjv4mnyj0z12gfkws9wq9gzsjt29v2sn7yvy" \
concourse web ...Conjur Permissions
The following is an example Conjur policy that can be used to grant permissions to a Conjur host. In this example host/concourse will have permissions to read and update all of the secrets within the TEAM_NAME and PIPELINE_NAME policies.
- !host concourse
- !policy
id: concourse
owner: !host concourse
body:
- !policy
id: TEAM_NAME
body:
- !variable team-secret-variable
- !policy
id: PIPELINE_NAME
body:
- !variable pipeline-secret-variableNote that the TEAM_NAME and PIPELINE_NAME text above should be replaced to fit your Concourse setup.
For more information on how to create and load Conjur policies, review the official documentation.
Credential Lookup Rules
When resolving a parameter such as ((foo_param)), Concourse will look in the following paths, in order:
concourse/TEAM_NAME/PIPELINE_NAME/foo_paramconcourse/TEAM_NAME/foo_paramvaultName/foo_param
The leading concourse can be changed by specifying --conjur-pipeline-secret-template or --conjur-team-secret-template variables.
The leading vaultName can be changed by specifying --conjur-secret-template variable.
powered by