Last active
March 6, 2019 14:58
-
-
Save sgnn7/cbdda589b619dadb3e113cf20c1e4233 to your computer and use it in GitHub Desktop.
CyberArk Conjur IAM authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- !policy conjur/cluster | |
- !policy conjur/authn-iam | |
- !policy myapp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- !policy | |
id: prod | |
body: | |
- !webservice | |
- !group clients | |
- !permit | |
role: !group clients | |
privilege: [ read, authenticate ] | |
resource: !webservice |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- &variables | |
- !variable database/username | |
- !variable database/password | |
# Create a group that will have permission to retrieve variables | |
- !group secrets-users | |
# Give the `secrets-users` group permission to retrieve variables | |
- !permit | |
role: !group secrets-users | |
privilege: [ read, execute ] | |
resource: *variables | |
# Create a layer to hold this application's hosts | |
- !layer | |
# The host ID needs to match the AWS ARN of the role we wish to authenticate. | |
- !host 188945769008/conjur-appliance | |
# Add our host into our layer | |
- !grant | |
role: !layer | |
member: !host 188945769008/conjur-appliance | |
# Give the host in our layer permission to retrieve variables | |
- !grant | |
member: !layer | |
role: !group secrets-users |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- !grant | |
role: !group conjur/authn-iam/prod/clients | |
member: !host myapp/188945769008/conjur-appliance |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
conjur policy load --delete --replace root 0001_root.yml | |
conjur policy load conjur/authn-iam 0002_authn_iam_prod.yml | |
conjur policy load myapp 0003_myapp.yml | |
conjur policy load root 0004_iam_authenticated_users.yml | |
conjur variable values add myapp/database/username "someusername" | |
conjur variable values add myapp/database/password "somepassword" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment