Team,
How does conjur identify the host id for ansible when you integrate Ansible with JWT provider (for example - azure ad), I see we create a dedicated ‘app registration’ for ansible for the JWT authentication to work, but wondering how Conjur cloud identifies the host ? Should we use the host id somewhere in the playbook tasks or create the Ansible host with annotations using the client id ?
Thank you in advance,
The host is identified through the claims configured for JWT auth. The client presents it’s JWT to Conjur, Conjur validates that the token if valid by checking with the IdP, then inspects the token for the claims presented. Those claims must match the claims configured for the host identify configured in Conjur policy. If they do, a short-lived access token is granted. AFAIK, the only examples we have for Ansible assume using an API-key, so you would need to extend your playbook to perform the steps to present the JWT to Conjur and get the access token. Once you have the access token, the secret lookup function in the collection could be used. I hope that helps clarify, but do let us know if you have follow up questions.
Regards,
Nate
Thanks a lot Nate , here is the link to the documentation site i was referencing - Ansible
But it appears that we need to create a JWT authenticator for Ansible, which i understood now.
Appreciate it much !!