Manage secrets using CyberArk Conjur
This topic provides information about integrating Deploy with external secrets management tools for secure management of passwords, keys, certificates, and other secrets. While you can choose to manage sensitive key/value pairs for environment-specific information using internal encrypted dictionaries, Deploy also supports integration with the CyberArk Conjur secrets management tool to manage and inject secrets into Deploy. The API-based integration with Conjur enables you to define, manage, and use Conjur as an external data source for secret storage. This API will support future integrations with other secrets management tools.
Compatibility
The xld-cyberark-conjur plugin is compatible with both:
-
CyberArk Dynamic Access Provider
-
Conjur Open Source server
How it works
The integration with CyberArk Conjur is controlled by the connection to the Conjur server itself, which includes a Conjur policy and the specific list of keys (Variable IDs) that the user can access. For details, see Understanding Conjur policy.
The Deploy integration with Conjur is a Deploy plugin that you install that lets you configure external dictionaries that can be used with your environments. You can also define a Conjur-based lookup provider that can reference and resolve a key/value pair stored in a CyberArk Conjur policy. Deploy does not save or cache the key/value information stored in Conjur in the Deploy system.
Use external CyberArk Conjur-based dictionaries
Managing an external CyberArk Conjur dictionary is similar to how you currently manage internal dictionaries in Deploy.
- You assign a Conjur-based dictionary to an environment.
- During deployment, key/value pairs stored in Conjur will replace defined placeholders in the deployment to the environment.
To manage a Conjur dictionary:
- Define a connection to your CyberArk Conjur server and one or more associated policies.
- Define an external dictionary using this connection that includes Variable IDs for secrets stored in a Conjur policy.
- Associate the external dictionary with an environment.
- Create placeholder references to secrets and other values stored in Conjur.
Use an external CyberArk Conjur lookup provider
For secrets and password fields used with certain CI's, you can establish a Conjur-based lookup provider that will be used to resolve a value based on a lookup provider key that you specify. See Create an external lookup value provider for details.
User access control
As with any security-related feature, controlling access to sensitive data needs to be managed as part of the integration. Deploy provides controls to limit access, ensuring that:
- Developers are authenticated and authorized to read secrets
- Role-based access to secrets is supported
- Policies are provided to control credentials and how they can be used
Install the plugin
To install the plugin:
- Download the Deploy CyberArk Conjur plugin from the distribution site.
- Place the plugin inside the
XL_DEPLOY_SERVER_HOME/plugins/
directory. - Restart Deploy.
For additional details on installing or removing a plugin, see Install or remove Deploy plugins
Create a CyberArk Conjur connection
Deploy supports the CyberArk Conjur secrets management tool using a Conjur connection CI configuration type. The role of this type is to allow you to configure a connection to a CyberArk Conjur server, select a policy, and be able to read key values.
To create a new connection to a Conjur server:
-
Hover over Configuration, click , and select New > secrets > cyberark > conjur > ConjurServer.
-
In the Name field, enter a name for the Conjur connection.
-
In the Server Address field, enter an address for the Conjur server.
-
In the Account field, enter your Conjur account.
-
If you want to authenticate as a:
- User - Enter a Username and Password.
- Host - Enter the Host Name and Host API Key.
-
Click Save or Save and close.
Identify a Conjur policy and add it to the server connection
Your Conjur policies already exist on your Conjur server. In Deploy, you include one or more of these policies under your Conjur server connection. Each policy then becomes a CI that can be added to Conjur dictionaries and lookup providers to resolve secrets. To identify a policy on your Conjur server connection:
-
Expand the Configuration node.
-
Hover over the Conjur server connection, click and select New > secrets > cyberark > conjur > ConjurPolicy.
-
In the Name field, enter a name for the Conjur policy.
-
If your policy is stored in a directory other than root on your Conjur server, enter the Path.
-
Click Save or Save and close.
-
Repeat this procedure to create additional policies as needed. Your policies are listed under the Conjur server connection.
-
Open the Conjur server connection. The new policies are listed in the Policy Paths field.
Create an external dictionary
Once you have defined your external Conjur server connection and one or more policy CIs, you can create a dictionary that you can associate with your environments. To create an external dictionary:
-
Hover over Environments, click , and select New > secrets > cyberark > conjur > ConjurDictionary.
-
In the Name field, enter a name for the Conjur dictionary.
-
In the Conjur policy field, select a Conjur policy that you defined in the Conjur connection.
-
In the Variable IDs field, type one or more Variable IDs for secrets stored in Conjur.
-
Click Save or Save and close.
Create an external lookup value provider
You can specify certain properties for a CI that should be looked up in an external source. This is useful for sensitive data that is not part of a deployment package such as hosts or cloud targets.
To support this, you can create a special CI type called a LookupValueProvider that references a policy associated with your Conjur connection. Once this configuration is in place, you can select the LookupValueProvider and type a Variable ID for the value that you want to use.
To create Conjur lookup provider:
-
Hover over Configuration, click , and select New > secrets > cyberark > conjur > lookup > ConjurLookupValueProvider.
-
In the Name field, enter a name for the Conjur lookup provider.
-
In the Conjur policy field, select a Conjur policy.
-
Click Save or Save and close.
Select an external lookup value provider and key
After creating an external lookup value provider, you can now select it and choose a key when configuring properties for certain CIs. For example, if you want to store and resolve a password for a host CI:
- Hover over Infrastructure, click , and select New > overthere > SshHost.
- Complete the required fields for the CI.
- In the SU password field, click and select the ConjurLookupProvider you created in Create an external lookup value provider.
- In the Lookup provider key field, type the name of the Variable ID for the value that is stored in Conjur.
- Click Save or Save and close.