Conjur : Protect Host Identity API KEY : Windows

Hi All,

We would like to implement summon and summon conjur solutions on windows servers/ clients, however the api key value of the host identity provided by the conjur, need to be either used in a script or as environmental variable on windows end point, this has potential issue as every user who are admins can fetch the api key value, any recommendations to protect this from cyberark or conjur point of view or best practices are appreciated.


I’m not sure I understand the setup entirely, but it sounds like you want to have a number of Windows clients and servers using Summon, but you don’t want them to have access to the admin API key.
The way customers generally handle this is by using RBAC. You should have separate users/hosts in Conjur for different machines (clients/servers) and each should only have access to the secrets it needs (least privilege). None of the machines should have access to the admin API key.

Please let me know if this helps.

Hi @szh,

To be more clear, on windows systems, the api key for host identity will be stored into environmental variable, so in case actual users login to the windows servers/ clients they can view the api key value for an host identity, on linux platform we can keep this values into .netrc file and allow file permissions to the legitimate users, however on Windows any admin user of the server can get the value.

Is there any way, we can restrict this on windows machines.


Got it. You actually can still use a .netrc file on Windows, placed in the user’s home directory (C:\Users<username>) and summon-conjur will pick it up just like in Linux.