CyberArk Conjur IAM authentication

0001_root.yml

- !policy conjur/cluster
- !policy conjur/authn-iam
- !policy myapp

0002_authn_iam_prod.yml

- !policy
  id: prod
  body:
  - !webservice

  - !group clients

  - !permit
    role: !group clients
    privilege: [ read, authenticate ]
    resource: !webservice

0003_myapp.yml

- &variables
  - !variable database/username
  - !variable database/password

# Create a group that will have permission to retrieve variables
- !group secrets-users

# Give the `secrets-users` group permission to retrieve variables
- !permit
  role: !group secrets-users
  privilege: [ read, execute ]
  resource: *variables

  # Create a layer to hold this application's hosts
- !layer

  # The host ID needs to match the AWS ARN of the role we wish to authenticate.
- !host 188945769008/conjur-appliance

  # Add our host into our layer
- !grant
  role: !layer
  member: !host 188945769008/conjur-appliance

  # Give the host in our layer permission to retrieve variables
- !grant
  member: !layer
  role: !group secrets-users

0004_iam_authenticator_users.yml

- !grant
  role: !group conjur/authn-iam/prod/clients
  member: !host myapp/188945769008/conjur-appliance

add_variables.sh

#!/bin/bash
conjur policy load --delete --replace root 0001_root.yml 
conjur policy load conjur/authn-iam 0002_authn_iam_prod.yml
conjur policy load myapp 0003_myapp.yml 
conjur policy load root 0004_iam_authenticated_users.yml

conjur variable values add myapp/database/username "someusername"
conjur variable values add myapp/database/password "somepassword"