AWS IAM Authenticator error

Hello Everyone,

I am trying to setup AWS IAM authenticator and running into the following error message while trying to execute the python code that is present here

Error message I am seeing is below
Python script


Screenshot from logs page

I am using DAP 5.7.1 and have run

evoke variable set value CONJUR_AUTHENTICATORS=authn-iam/prod
on the master enabled the autenticator

Applied the policies explained in this page

@AndrewCopeland @nathan.whipple Appreciate if you could help in addressing this issue. Thank you

Hi sjohnkennedy,

After running the evoke variable set value CONJUR_AUTHENTICATORS=authn-iam/prod the IAM authenticator should be enabled.
Could you hit the https://$CONJUR_APPLIANCE_URL/info endpoint and provide the JSON, this will show which authenticators have been configured and enabled.

Also could you please share the policy you loaded to configure your policy and host.

One thing to note is you must configure the CONJUR_AUTHENTICATORS on the instance the application is talking to, so if you set the CONJUR_AUTHENTICATORS on master but not followers applications talking to the follower will not be able to authenticate.

Thanks,
Andrew

@AndrewCopeland

Please find the requested details attached. I have only master up and running and not using the followers for authentication. I see here that only authn is enabled in the info. This is causing the error message. how can this be corrected?

“services”: {
“evoke”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-evoke”,
“version”: “5.15.1.1-4af4f30”,
“arch”: “amd64”
},
“ldap-sync”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ldap-sync”,
“version”: “2.1.4.0-3c52a79”,
“arch”: “amd64”
},
“possum”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-possum”,
“version”: “1.4.6.15-63d5156”,
“arch”: “amd64”
},
“ui”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ui”,
“version”: “2.10.16.0-2c3911b7”,
“arch”: “amd64”
}
},
“container”: “a11bf9e10070”,
“role”: “master”,
“configuration”: {
“conjur”: {
“role”: “master”,
“account”: “CAU”,
“hostname”: “ip-172-31-15-132.us-east-2.compute.internal”,
“master_altnames”: [
“ip-172-31-15-132.us-east-2.compute.internal”,
“localhost”,
“conjur”
]
}
},
“authenticators”: {
“installed”: [
“authn”,
“authn-iam”,
“authn-k8s”,
“authn-ldap”,
“authn-oidc”
],
“configured”: [
“authn”,
“authn-iam/prod”
],
“enabled”: [
“authn”
]
}
}

Policy file for authenticator

policy id needs to match the convention conjur/authn-iam/<service ID>

- !policy

  id: conjur/authn-iam/prod

  body:

  - !webservice

  - !group clients

 

  - !permit

    role: !group clients

    privilege: [ read, authenticate ]

    resource: !webservice

Host creation yaml file

- !policy 

  id: myapp

  body:

  - &variables

    - !variable database/username

    - !variable database/password

  # Create a group that will have permission to retrieve variables

  - !group secrets-users

  # Give the `secrets-users` group permission to retrieve variables

  - !permit

    role: !group secrets-users

    privilege: [ read, execute ]

    resource: *variables

  

  # Create a layer to hold this application's hosts

  - !layer

  # The host ID needs to match the AWS ARN of the role we wish to authenticate.

  - !host <awsaccountname>/conjur-role

  # Add our host into our layer

  - !grant

    role: !layer

    member: !host <awsaccounname>/conjur-role

  # Give the host in our layer permission to retrieve variables

  - !grant

    member: !layer

    role: !group secrets-users

So it looks like the authenticator is configured but not enabled.
There could have been a small typo when attempting to enable this authenticate.
Could you execute the following command on the master container:
evoke variables set CONJUR_AUTHENTICATORS=authn,authn-iam/prod
After doing this then the /info endpoint should return this authenticator is enabled and can be used.

Also to add, it doesn’t look like !host myapp/<awsaccountnumber>/conjur-role is a member of !group conjur/authn-iam/prod/clients.

The follow policy will need to be loaded.

- !grant
  role: !group conjur/authn-iam/prod/clients
  member: !host myapp/<awsaccountnumber>/conjur-role

Thanks,
Andrew

Also to add, this repo has been moved to the Cyberark Github organization. The new link can be found here:

Thanks,
Andrew

Thanks for your response. For somereason its not getting enabled at all. I am not sure what is going on. Please see the screenshot from Master but I am still getting the message that is not enabled.

root@a11bf9e10070:/opt/conjur/etc# evoke variable set value CONJUR_AUTHENTICATORS=authn,authn-iam/prod
Stopping all services...
ok: down: conjur: 0s, normally up
ok: down: nginx: 0s, normally up
ok: down: pg: 1s, normally up
Starting all services...
ok: run: pg: (pid 1766) 0s
ok: run: nginx: (pid 1826) 0s
ok: run: conjur: (pid 1829) 0s
DATABASE_URL=postgres:///conjur


value=CONJUR_AUTHENTICATORS\=authn,authn-iam/prod
root@a11bf9e10070:/opt/conjur/etc# cat conjur.conf
CONJUR_ACCOUNT=CAU
ENABLED=true
TRUSTED_PROXIES=127.0.0.1/32
DATABASE_URL=postgres:///conjur


value=CONJUR_AUTHENTICATORS\=authn,authn-iam/prod

I tried manually updating this file /opt/conjur/etc/conjur.conf and stopped and started conjur service but does not make any difference. Thank you

So I gave you the wrong command :confused: . Those environment variables don’t look right :smiley:.

Execute the following command:

evoke variable set CONJUR_AUTHENTICATORS authn-iam/prod

Thanks,
Andrew

@AndrewCopeland Thank you it did the trick and I am able to use the IAM Authenticator.

I have two follow-up questions

If we need to add additional authenticators to conjur e.g authn-iam/dev, authn-iam/test how that should be added in the environment variables?

Where can I find the reference on how to retrieve secrets using Python. I was able to list the variables using your example and it will be helpful if you can help me with other examples. Thanks

One way is copy this file (/opt/conjur/etc/conjur.conf) to all of the Conjur instances.

This file is sourced everytime the conjur service is started and contains the environment variables for CONJUR_AUTHENTICATORS.

Another way is to set the environment variables of the container using the docker --env flag.

The library you are using returning a client object, this client object can be found here https://github.com/cyberark/conjur-api-python3.

These are all of the supported client methods: https://github.com/cyberark/conjur-api-python3#currently-supported-client-methods

Thanks,
Andrew

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.