GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cyberark → summon-conjur

cyberark / summon-conjur

Licence: MIT license
CyberArk Conjur provider for Summon

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects

Labels

secret-distributionsummonconjurmachine-identitysummon-providerconjbot-notifyconjur-community-team

Projects that are alternatives of or similar to summon-conjur

summon-aws-secrets
Summon provider for AWS Secrets Manager
Stars: ✭ 47 (+46.88%)
Mutual labels:  summon, summon-provider, conjbot-notify, conjur-community-team
terraform-provider-conjur
Terraform provider for Conjur
Stars: ✭ 17 (-46.87%)
Mutual labels:  conjur, conjbot-notify, conjur-community-team
conjur-quickstart
Start securing your secrets and infrastructure by installing Conjur, using Docker and the official Conjur containers on DockerHub.
Stars: ✭ 18 (-43.75%)
Mutual labels:  conjur, conjbot-notify
conjur-api-go
Go client for the CyberArk Conjur API
Stars: ✭ 13 (-59.37%)
Mutual labels:  conjur, conjbot-notify
conjur-oss-helm-chart
Helm chart for deploying Conjur OSS to Kubernetes
Stars: ✭ 22 (-31.25%)
Mutual labels:  conjur, conjbot-notify
conjur-template
Template repo for Conjur repositories
Stars: ✭ 14 (-56.25%)
Mutual labels:  conjbot-notify, conjur-community-team
kubernetes-conjur-deploy
Scripts for deploying DAP followers to Kubernetes and OpenShift given an existing DAP master cluster
Stars: ✭ 14 (-56.25%)
Mutual labels:  conjur, conjbot-notify
cybr-cli
A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with @cyberark suite of products.
Stars: ✭ 45 (+40.63%)
Mutual labels:  conjur
teller
Cloud native secrets management for developers - never leave your command line for secrets.
Stars: ✭ 998 (+3018.75%)
Mutual labels:  conjur
sopstool
SOPS multi-file wrapper
Stars: ✭ 28 (-12.5%)
Mutual labels:  secret-distribution
Keywhiz
A system for distributing and managing secrets
Stars: ✭ 2,452 (+7562.5%)
Mutual labels:  secret-distribution
secrets-proxy
🔑 A secure proxy service for managing OneOps secrets.
Stars: ✭ 12 (-62.5%)
Mutual labels:  secret-distribution

summon-conjur

Conjur provider for Summon.

GitHub release

Github commits (since latest release)

Note Use the summon-conjurcli provider if you are on Conjur v4.4.0 or earlier.

Note You must set environment variable CONJUR_MAJOR_VERSION=4 for this provider to work with Conjur v4.9.

Install

Pre-built binaries and packages are available from GitHub releases here.

Using summon-conjur with Conjur Open Source

Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.

Homebrew

brew tap cyberark/tools
brew install summon-conjur

Linux (Debian and Red Hat flavors)

deb and rpm files are attached to new releases. These can be installed with dpkg -i summon-conjur_*.deb and rpm -ivh summon-conjur_*.rpm, respectively.

Auto Install

Note Check the release notes and select an appropriate release to ensure support for your version of Conjur.

Use the auto-install script. This will install the latest version of summon-conjur. The script requires sudo to place summon-conjur in dir /usr/local/lib/summon.

curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/main/install.sh | bash

Manual Install

Otherwise, download the latest release and extract it to the directory /usr/local/lib/summon.

Usage in isolation

Give summon-conjur a variable name and it will fetch it for you and print the value to stdout.

$ # export CONJUR_MAJOR_VERSION=4 for Conjur v4.9
$ summon-conjur prod/aws/iam/user/robot/access_key_id
8h9psadf89sdahfp98

Flags

Usage of summon-conjur:
  -h, --help
	show help (default: false)
  -V, --version
	show version (default: false)
  -v, --verbose
	be verbose (default: false)

Usage as a provider for Summon

Summon is a command-line tool that reads a file in secrets.yml format and injects secrets as environment variables into any process. Once the process exits, the secrets are gone.

Example

As an example let's use the env command:

Following installation, define your keys in a secrets.yml file

AWS_ACCESS_KEY_ID: !var aws/iam/user/robot/access_key_id
AWS_SECRET_ACCESS_KEY: !var aws/iam/user/robot/secret_access_key

By default, summon will look for secrets.yml in the directory it is called from and export the secret values to the environment of the command it wraps.

Wrap the env in summon:

$ # export CONJUR_MAJOR_VERSION=4 for Conjur v4.9
$ summon --provider summon-conjur env
...
AWS_ACCESS_KEY_ID=AKIAJS34242K1123J3K43
AWS_SECRET_ACCESS_KEY=A23MSKSKSJASHDIWM
...

summon resolves the entries in secrets.yml with the conjur provider and makes the secret values available to the environment of the command env.

Configuration

This provider uses the same configuration pattern as the Conjur CLI Client to connect to Conjur. Specifically, it loads configuration from:

  • .conjurrc files, located in the home and current directories, or at the path specified by the CONJURRC environment variable.
  • Reads the .conjurrc file from /etc/conjur.conf on Linux/macOS and C:\Windows\conjur.conf on Windows.
  • Environment variables:
    • Version
      • CONJUR_MAJOR_VERSION - must be set to 4 in order for summon-conjur to work with Conjur v4.9.
    • Appliance URLs
      • CONJUR_APPLIANCE_URL
      • CONJUR_CORE_URL
      • CONJUR_AUTHN_URL
    • SSL certificate
      • CONJUR_CERT_FILE
      • CONJUR_SSL_CERTIFICATE
    • Authentication
      • Account
        • CONJUR_ACCOUNT
      • Login
        • CONJUR_AUTHN_LOGIN
        • CONJUR_AUTHN_API_KEY
      • Token
        • CONJUR_AUTHN_TOKEN
        • CONJUR_AUTHN_TOKEN_FILE
      • JWT Token
        • CONJUR_AUTHN_JWT_SERVICE_ID (e.g. kubernetes) NEW!
        • JWT_TOKEN_PATH (optional) (default: /var/run/secrets/kubernetes.io/serviceaccount/token) NEW!

If CONJUR_AUTHN_LOGIN and CONJUR_AUTHN_API_KEY or CONJUR_AUTHN_TOKEN or CONJUR_AUTHN_TOKEN_FILE or CONJUR_AUTHN_JWT_SERVICE_ID are not provided, the username and API key are read from ~/.netrc, stored there by conjur authn login.

$HOME/.netrc is used as the default .netrc location but you can also specify its location in .conjurrc's field netrc_path:

...
netrc_path: "/etc/conjur.identity"
...

In general, you can ignore the CONJUR_CORE_URL and CONJUR_AUTHN_URL unless you need to specify, for example, an authn proxy.

The provider will fail unless all of the following values are provided:

  • CONJUR_MAJOR_VERSION=4 for Conjur v4.9
  • An appliance url (CONJUR_APPLIANCE_URL)
  • An organization account (CONJUR_ACCOUNT)
  • A username and api key, or Conjur authn token, or a path to CONJUR_AUTHN_TOKEN_FILE a dynamic Conjur authn token
  • A path to (CONJUR_CERT_FILE) or content of (CONJUR_SSL_CERTIFICATE) the appliance's public SSL certificate

Contributing

We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].