Hi,
We have prepared a policy for an application, with initial applied as “restricted_ip” for CIDR activated, due to changes, we have removed this restrictions based on IPs, however when we try to fetch the secrets, it ends with level=error msg="401 Unauthorized and “failed to authenticate with authenticator authn service xxx:webservice:conjur/authn: CONJ00003E Invalid origin”.
How can we address this issue, the policies are implemented and the version of policy is also shown.
Kr,
Gautam
What did the policy look like to remove the CIDR restrictions and how was that policy loaded? (e.g. append, delete, or replace)
Regards,
Nathan
I have loaded the policy as "conjur policy load --replace <policy-file-name.yml>
Kr,
Gautam.
That should have worked. Can you share a redacted version of your policy please?
Here is the sample policy
!layer
!group readers
&Application-resources
!grant
role: !layer
members: *Application-resources
!permit
role: !group readers
privileges: [“read”]
resources: *Application-resources
The layer created here will be allowed the resources that are synchronized from the CyberArk Core PAS solution.
Kr,
Gautam
When you load the policy that removes the restricted_to annotation, are you just deleting that line from the policy, or are you setting the value to something like 0.0.0.0?
Hi,
I remove the restricted_IP line and push the policy as --replace.
Hi @gautamkanithi , that’s the issue. There are two ways to achieve your desired outcome:
restricted_to line to use 0.0.0.0 as the IP address/range and load with either --replace or --delete
--delete to delete the host, then load a policy to create the host again without the restricted_to linePlease let me know how you make out on that!