cyberark.conjur-lookup-plugin

Panoramica Versioni Approfondimenti

Ansible Lookup Plugin [DEPRECATED]

The lookup feature described here is now part of Ansible core. This plugin is no longer needed.

This Ansible plugin allows you to find Conjur values in playbooks. It works with Conjur versions 4 and 5.

You can securely retrieve secrets based on the identity of the Ansible controlling host using this plugin. While it offers a simple alternative to the Ansible Vault, it is suggested to only use this plugin as a temporary step toward moving to Conjur in existing Ansible playbooks. You should plan to transition to Summon as soon as you can.

Note: For Conjur version 5, this plugin is included in Ansible versions 2.5.0 and above. Support for version 4 will be available soon.

To assign machine identities to nodes managed by Ansible, see the Conjur Ansible Role.

  • To get started with Conjur, check out this guide
  • For details on how to integrate Conjur with Ansible, visit the Integration Documentation
  • To learn about Summon, the tool for running applications with secrets from Conjur, visit the Summon Webpage
  • For more information on other ways to connect with Conjur, visit our pages on the CLI, API, and Integrations

Installation

To install the Conjur role, use this command:

$ ansible-galaxy install cyberark.conjur-lookup-plugin

Testing

To run the tests, use:

$ cd tests
$ ./test.sh

Requirements

  • A functional Conjur service that the Ansible controlling host can access.
  • A Conjur identity on the Ansible controlling host. It is advisable to log in using the CLI or run the Ansible role beforehand.
  • Ansible version 2.3.0 or higher.

Usage

Set up environment variables as follows:

export CONJUR_ACCOUNT="your_org_account"
#export CONJUR_VERSION="4"
export CONJUR_APPLIANCE_URL="https://conjur-appliance-url"
export CONJUR_CERT_FILE="/path/to/conjur_certificate_file"
export CONJUR_AUTHN_LOGIN="host/host_identity"
export CONJUR_AUTHN_API_KEY="host API Key"

Note: By default, the lookup plugin uses the Conjur 5 API for retrieving secrets. If you are using Conjur v4, set the environment variable CONJUR_VERSION to 4 by uncommenting the relevant line above.

Playbook example:

- hosts: servers
  roles:
    - role: cyberark.conjur-lookup-plugin
  tasks:
    - name: Retrieve secret with master identity
      vars:
        super_secret_key: {{ lookup('retrieve_conjur_variable', 'path/to/secret') }}
      shell: echo "Yay! {{super_secret_key}} was just retrieved with Conjur"

Recommendations

  • Add no_log: true to any play that uses sensitive data to prevent it from being logged.
  • Set minimal permissions on Ansible files. The permissions will reflect the user running the Ansible commands.

License

Apache 2

Informazioni sul progetto

Provides access to Conjur variables through a lookup plugin (for backward compatibility only)

role conjur cyberark security
Installa
ansible-galaxy install cyberark.conjur-lookup-plugin
GitHub repository
1 stelle
3 fork
0 problemi aperti
Licenza
other
Download
689
Proprietario
CyberArk
CyberArk, the undisputed leader in Privileged Account Security, secures secrets used by machines and users to protect traditional and cloud-native apps.