Following this doc: Managing Secrets in Red Hat Ansible Automation Playbooks
We have a policy created for a namespace (safe) coming across from CyberArk, the layer as shown in the doc, and the Host Factory and loaded into Conjur.
# Policy namespace for safe serv_ansible - !host ansible_controller - !policy id: SERV_ANSIBLE owner: !host ansible_controller # this creates a group for use in subsequent grant statements # the team we delegate management of the policy can manage members of the group body: - !group ansible_readonly # this allow use of the iam authenticator # the path to the group name is fully qualified to host - because the current context is root policy - !grant role: !group conjur/authn-iam/prod/clients members: !group SERV_ANSIBLE/ansible_readonly # the group name appear in Conjur UI in the ID column of "Groups" tile # it can be assembled easily - most parts are static. # structure: vault_integration/lob user/safe name/delegation/consumers # the path to the group name is fully qualified to host - because the current context is root policy - !grant role: !group prod_vault/<account>/SERV_ANSIBLE/delegation/consumers members: !group SERV_ANSIBLE/ansible_readonly
The one thing I am not able to understand is how the Ansible Controller (linux EC2 on AWS) where we are executing the playbook is linked to the Policy.