I am trying to set up Conjur for Concourse integration. I have the sample configuration from the documentation below. I have a question on ‘conjur-account’ parameter. Is this an additional account that needs to be created in Conjur or is this optional since I have host/api-key? I appreciate any help. Thanks!
I had an issue where one of the reasons was the account/login mapping (Authenticator pod failing to authenticate).
Back then @nathan.whipple helped a lot in understanding, so, tagging to see if he can help on this one as well
Cheers.
@sonny typically you set the Conjur account when you deploy and configure Conjur. This page on DAP policy may help to explain it more - it says
Every DAP appliance has an account name, supplied during the installation process. We frequently refer to this as the “organization account”.
Note: the same is true for Conjur OSS - but this example is from the DAP docs.
One way to remind yourself of the account you configured DAP with is to log in via the CLI and run conjur list
- the output will look something like:
# conjur list
[
"dap-dev:policy:root",
"dap-dev:policy:vault",
"dap-dev:policy:vault/test",
"dap-dev:policy:vault/test/safe",
"dap-dev:variable:vault/test/safe/object1/username",
"dap-dev:variable:vault/test/safe/object1/password",
"dap-dev:variable:vault/test/safe/object2/username",
"dap-dev:variable:vault/test/safe/object2/password",
"dap-dev:group:vault/test/safe/delegation/consumers",
"dap-dev:policy:apps",
"dap-dev:host:apps/myhost"
]
Every returned result is of the form account:kind:id
- so the first entry (dap-dev
) in each result is your organizational account, and what you should submit to the concourse integration in the conjur-account
flag.
Hope this helps, but feel free to write back if you have any follow-up questions.
Hi sonny,
Also a quick way to get the conjur account of your instance is to execute the following curl command:
curl -k https://<conjur instance hostname>/info
The returned result should look something like this:
{
"release": "11.2.1",
"version": "5.6.3",
"services": {
"evoke": {
"desired": "i",
"status": "i",
"err": null,
"name": "conjur-evoke",
"version": "5.14.4.0-2305659",
"arch": "amd64"
},
"ldap-sync": {
"desired": "i",
"status": "i",
"err": null,
"name": "conjur-ldap-sync",
"version": "2.1.4.11-1631cbb",
"arch": "amd64"
},
"possum": {
"desired": "i",
"status": "i",
"err": null,
"name": "conjur-possum",
"version": "1.4.5.1-1717fa6",
"arch": "amd64"
},
"ui": {
"desired": "i",
"status": "i",
"err": null,
"name": "conjur-ui",
"version": "2.10.15.15-1f38b59f",
"arch": "amd64"
}
},
"role": "master",
"configuration": {
"conjur": {
"role": "master",
"account": "conjur",
"hostname": "conjur-master",
"master_altnames": [
"conjur-master",
"localhost",
"conjur"
]
}
},
"authenticators": {
"installed": [
"authn",
"authn-iam",
"authn-jenkins",
"authn-k8s",
"authn-ldap",
"authn-oidc"
],
"configured": [
"authn",
"authn-jenkins/prod"
],
"enabled": [
"authn",
"authn-jenkins/prod"
]
}
}
You can find the conjur account in the configuration => conjur => account.
I am very familiar with the concourse integration so please leave a comment if you have any other issues.
Regards,
Andrew
Thanks so much for all the input, they are all very helpful!
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.