Conjur Restricted IP Policy


We have prepared a policy for an application, with initial applied as “restricted_ip” for CIDR activated, due to changes, we have removed this restrictions based on IPs, however when we try to fetch the secrets, it ends with level=error msg="401 Unauthorized and “failed to authenticate with authenticator authn service xxx:webservice:conjur/authn: CONJ00003E Invalid origin”.

How can we address this issue, the policies are implemented and the version of policy is also shown.


What did the policy look like to remove the CIDR restrictions and how was that policy loaded? (e.g. append, delete, or replace)


Hi @nathan.whipple

I have loaded the policy as "conjur policy load --replace <policy-file-name.yml>


That should have worked. Can you share a redacted version of your policy please?

Hi @nathan.whipple

Here is the sample policy

  • !layer

  • !group readers

  • &Application-resources

    • !host
      id: abc

      restricted_to: [10.x.x.x]

      Description: xxx
      Role: perimeter xx
      Application: xx
      Project: xx

  • !grant
    role: !layer
    members: *Application-resources

  • !permit
    role: !group readers
    privileges: [“read”]
    resources: *Application-resources

The layer created here will be allowed the resources that are synchronized from the CyberArk Core PAS solution.


When you load the policy that removes the restricted_to annotation, are you just deleting that line from the policy, or are you setting the value to something like


I remove the restricted_IP line and push the policy as --replace.

Hi @gautamkanithi , that’s the issue. There are two ways to achieve your desired outcome:

  1. Edit the restricted_to line to use as the IP address/range and load with either --replace or --delete
  2. Load a policy with --delete to delete the host, then load a policy to create the host again without the restricted_to line

Please let me know how you make out on that!