Conjur policy with a layer of hosts is a failing, please help!

Secrets Management - Conjur, Secrets Hub & CP Conjur Enterprise
1

Below is a contrived policy in the same lines I have a production one. I am trying to create a couple of hosts and add them to a layer then allow that layer ownership on the policy for the safe namespace.

# Policy namespace for safe SERV_ABC
- !policy
  id: SERV_ABC
  body:
      - !layer
        id: testlayer
      - &hosts2  
        - !host
          id: SERV_ABC_HOST
        - !host
          id: 855555555501/AccountUser
      - !grant
        role: !layer
        member: *hosts2
  owner: !layer testlayer

Here is the error that I get when I load this policy

('handle_policy_load_result.py - processing file: ', 'http_result')
{"error":{"code":"not_found","message":"Layer 'testlayer' not found in account 'prod'","target":"layer","details":{"code":"not_found","target":"id","message":"prod:layer:testlayer"}}}404
('http result: ', '404')
('body_json: ', '{"error":{"code":"not_found","message":"Layer \'testlayer\' not found in account \'prod\'","target":"layer","details":{"code":"not_found","target":"id","message":"prod:layer:testlayer"}}}')
handle_policy_load_result.py - output file: http_result_code
handle_policy_load_result.py - output file: body_json
[load_conjur_policy] $ /bin/sh -xe /tmp/jenkins2270246464716431139.sh
+ + cut -c1
cat http_result_code
+ '[' 4 '!=' 2 ]
+ cat http_result
+ echo 'Error [HTTP status: {"error":{"code":"not_found","message":"Layer '"'"'testlayer'"'"' not found in account '"'"'prod'"'"'","target":"layer","details":{"code":"not_found","target":"id","message":"prod:layer:testlayer"}}}404]'
Error [HTTP status: {"error":{"code":"not_found","message":"Layer 'testlayer' not found in account 'prod'","target":"layer","details":{"code":"not_found","target":"id","message":"prod:layer:testlayer"}}}404]
2 Likes
2

Hi Vamsi,

I think I see what you are trying to do.

Generate a policy named !policy SERV_ABC that !host SERVICE_ABC_HOST and !host 855555555501/AccountUser are both owners of the !policy SERV_ABC.

Let me know if this is incorrect.

First off it looks like you are trying to declare your owner last. This is not possible with conjur.
Second the last grant is not valid because role: !layer should be role: !layer testlayer.
Third I try to avoid layers as they are just groups and are only really applicable when using host factory token.

Below is the policy you should load that should work just fine:

# I first create an owners group
- !group SERV_ABC-owner

# Policy namespace for safe SERV_ABC
- !policy
  id: SERV_ABC
  owner: !group SERV_ABC-owner
  body:
      - !group owners

      - &hosts2  
        - !host
          id: SERV_ABC_HOST
        - !host
          id: 855555555501/AccountUser

      - !grant
        role: !group owners
        member: *hosts2

# now I grant the owners group from within the policy as a member to the actual owners group
- !grant
  role: !group SERV_ABC-owner
  member: !group SERV_ABC/owners

Hopefully that helps. To view what resources !host SERV_ABC_HOST has access to you can perform the following conjur command:
conjur list --role conjur:host:SERV_ABC/SERV_ABC_HOST
which should output something like

[
  "conjur:policy:SERV_ABC",
  "conjur:group:SERV_ABC/owners",
  "conjur:host:SERV_ABC/SERV_ABC_HOST",
  "conjur:host:SERV_ABC/855555555501/AccountUser"
]

Regards,
Andrew

1 Like
3

That worked. I had to delete existing groups and policy with the same name that had single host, to add this policy with multiple hosts. Thank you!

image002.png

2 Likes
4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.