Concourse integration with DAP

Secrets Management - Conjur, Secrets Hub & CP Conjur Enterprise
1

We are spinning up our DAP integration with Concourse and need to know how to specify variables that we want to retrieve in our pipelines. We have the documentation on how to start up the Concourse container with DAP environment variables, but aren’t sure how to use it.

2

Hi Chris,

I actually made this integration and would be more than happy to help you!
Are secrets being stored in Cyberark’s Vault and then sync’d into Conjur? Or are you creating the secrets directly in Conjur/DAP?

Using the Cyberark Vault Synchronizer:

Screen Shot 2020-02-14 at 10.40.52 AM
Screen Shot 2020-02-14 at 10.40.52 AM2354×802 120 KB

Concourse is flexible when it comes to secrets retrieval. Below are different scenarios and you can decide which is best for your use case.

If the concourse identity is a member of one safe and all teams within that concourse instances can retrieve all the secrets within this safe.
Where:
vault name = DemoVault
LOB User = syncUser
safe name = CONCOURSE_DEVOPS

Then:
CONCOURSE_CONJUR_SECRET_TEMPLATE=DemoVault/syncUser/CONCOURSE_DEVOPS/{{.Secret}}

Usage (When target account is Database-OracleDB-10.0.0.1-dbUser):

---
jobs:
  - name: job-conjur-api-key
    public: true
    plan:
      - task: print-env
        config:
          platform: linux
          image_resource:
            type: docker-image
            source: {repository: busybox}
          run:
            path: env
            args: []
          params:
            DB_ADDRESS: ((Database-OracleDB-10.0.0.1-dbUser/address))
            DB_USERNAME: ((Database-OracleDB-10.0.0.1-dbUser/username))
            DB_PASSWORD: ((Database-OracleDB-10.0.0.1-dbUser/password))

If you would like a safe per concourse team (this allows for more granular control of what each team has access to).
Where:
vault name = DemoVault
LOB User = syncUser
safe name = CONCOURSE_DEVOPS_team1

Then:
CONCOURSE_CONJUR_SECRET_TEMPLATE=DemoVault/syncUser/CONCOURSE_DEVOPS_{{.Team}}/{{.Secret}}

As you see above the safe name will be a specific convention with the team name.

Usage:
Is the same as above.

Hopefully this answers your question and please let me know if you have any other questions.

Regards,
Andrew

1 Like
3

Thank you for your quick response! I believe this is exactly what we need. I will post again if we run into any problems.

4

Hey Andrew,

I guess I’m just picking this back up, but I’m having trouble making this work. Here’s what I’m seeing:

Screen Shot 2022-08-01 at 3.03.27 PM
Screen Shot 2022-08-01 at 3.03.27 PM3124×1762 417 KB

I have logged into the conjur cli using the creds in the docker file and verified that the host has permission on that safe.