Hi Chris,
I actually made this integration and would be more than happy to help you!
Are secrets being stored in Cyberark’s Vault and then sync’d into Conjur? Or are you creating the secrets directly in Conjur/DAP?
Using the Cyberark Vault Synchronizer:
Concourse is flexible when it comes to secrets retrieval. Below are different scenarios and you can decide which is best for your use case.
If the concourse identity is a member of one safe and all teams within that concourse instances can retrieve all the secrets within this safe.
Where:
vault name = DemoVault
LOB User = syncUser
safe name = CONCOURSE_DEVOPS
Then:
CONCOURSE_CONJUR_SECRET_TEMPLATE=DemoVault/syncUser/CONCOURSE_DEVOPS/{{.Secret}}
Usage (When target account is Database-OracleDB-10.0.0.1-dbUser):
---
jobs:
- name: job-conjur-api-key
public: true
plan:
- task: print-env
config:
platform: linux
image_resource:
type: docker-image
source: {repository: busybox}
run:
path: env
args: []
params:
DB_ADDRESS: ((Database-OracleDB-10.0.0.1-dbUser/address))
DB_USERNAME: ((Database-OracleDB-10.0.0.1-dbUser/username))
DB_PASSWORD: ((Database-OracleDB-10.0.0.1-dbUser/password))
If you would like a safe per concourse team (this allows for more granular control of what each team has access to).
Where:
vault name = DemoVault
LOB User = syncUser
safe name = CONCOURSE_DEVOPS_team1
Then:
CONCOURSE_CONJUR_SECRET_TEMPLATE=DemoVault/syncUser/CONCOURSE_DEVOPS_{{.Team}}/{{.Secret}}
As you see above the safe name will be a specific convention with the team name.
Usage:
Is the same as above.
Hopefully this answers your question and please let me know if you have any other questions.
Regards,
Andrew