Concourse integration with DAP

chris_barber · February 14, 2020, 2:54pm

We are spinning up our DAP integration with Concourse and need to know how to specify variables that we want to retrieve in our pipelines. We have the documentation on how to start up the Concourse container with DAP environment variables, but aren’t sure how to use it.

AndrewCopeland · February 14, 2020, 4:37pm

Hi Chris,

I actually made this integration and would be more than happy to help you!
Are secrets being stored in Cyberark’s Vault and then sync’d into Conjur? Or are you creating the secrets directly in Conjur/DAP?

Using the Cyberark Vault Synchronizer:

Concourse is flexible when it comes to secrets retrieval. Below are different scenarios and you can decide which is best for your use case.

If the concourse identity is a member of one safe and all teams within that concourse instances can retrieve all the secrets within this safe.
Where:
vault name = DemoVault
LOB User = syncUser
safe name = CONCOURSE_DEVOPS

Then:
CONCOURSE_CONJUR_SECRET_TEMPLATE=DemoVault/syncUser/CONCOURSE_DEVOPS/{{.Secret}}

Usage (When target account is Database-OracleDB-10.0.0.1-dbUser):

---
jobs:
  - name: job-conjur-api-key
    public: true
    plan:
      - task: print-env
        config:
          platform: linux
          image_resource:
            type: docker-image
            source: {repository: busybox}
          run:
            path: env
            args: []
          params:
            DB_ADDRESS: ((Database-OracleDB-10.0.0.1-dbUser/address))
            DB_USERNAME: ((Database-OracleDB-10.0.0.1-dbUser/username))
            DB_PASSWORD: ((Database-OracleDB-10.0.0.1-dbUser/password))

If you would like a safe per concourse team (this allows for more granular control of what each team has access to).
Where:
vault name = DemoVault
LOB User = syncUser
safe name = CONCOURSE_DEVOPS_team1

Then:
CONCOURSE_CONJUR_SECRET_TEMPLATE=DemoVault/syncUser/CONCOURSE_DEVOPS_{{.Team}}/{{.Secret}}

As you see above the safe name will be a specific convention with the team name.

Usage:
Is the same as above.

Hopefully this answers your question and please let me know if you have any other questions.

Regards,
Andrew

chris_barber · February 14, 2020, 4:52pm

Thank you for your quick response! I believe this is exactly what we need. I will post again if we run into any problems.

chris_barber · August 1, 2022, 7:23pm

Hey Andrew,

I guess I’m just picking this back up, but I’m having trouble making this work. Here’s what I’m seeing:

I have logged into the conjur cli using the creds in the docker file and verified that the host has permission on that safe.

Topic		Replies	Views
Concourse Integration Conjur Enterprise	5	1580	March 20, 2020
Possible to populate Azure DevOps Pipeline variable with password from CyberArk Secrets Management - Conjur, Secrets Hub & CP azure , pipeline	3	440	October 10, 2023
Platform for storing the generic secrets in CyberArk for syncing to DAP/Conjur Conjur Enterprise	7	970	July 8, 2020
Conjur Ansible Lookup Plugin and SSH Key File Secrets Management - Conjur, Secrets Hub & CP ansible , dap	2	1671	November 20, 2020
Integrate Kubernetes secrets with cyberark Conjur Enterprise opensource , howto	4	807	July 8, 2020

Concourse integration with DAP

Related topics