Getting 401 error when using lookup('conjur_variable', 'secret/path') in ansible

Hi,

I am trying to fetch the secret value from conjur using ansible playbook.
OS:- Fedora31

When running the command :-
{{lookup(‘env’, ‘HFTOKEN’)}}, it works fine,

but when running {{lookup(‘conjur_variable’, ‘secret_path’)}}, getting an error.See attached screenshot.
My conjur_server host - http://172.X.X.X:80

When running below command to fetch the value from conjur using rest api:
curl -H “$(conjur authn authenticate -H)”
http://172.X.0.X:80/secrets/myConjurAccount/variable/db%2Fdbpass
I am getting the required value from conjur, but conjur_variable giving me 401 unauthorized.

Any thought/approach which I can follow in this issue.

Apart from this, when I ran conjur init, it didn’t generated a pem file.
Screen Shot 2020-04-08 at 7.02.26 AM|690x368

Without looking at any logging, my first hunch is that URL encoding for the lookup plugin isn’t working for the variable. Can you test with a variable that won’t require URL encoding.

1. You are using Conjur without HTTPS, therefore you will not receive a PEM. No certificates are in use in your current setup.
2. The URL encoding is working properly in Ansible when running the conjur_variable lookup module.
3. The conjur_variable lookup module uses two files for it’s configuration: /etc/conjur.identity and /etc/conjur.conf. The identity stored in /etc/conjur.identity is what the lookup module will use when authenticating to Conjur. A 401 HTTP Status Code denotes that an unauthorized attempt at the secret was made. Either the account you are authenticating with does not have permissions to access the secret variable or the account’s /etc/conjur.identity is wrong.

Finally, if this doesn’t work out for you, a newer version is available in our recently released Conjur Collection on Ansible Galaxy. The conjur_variable module contained in the collection supports Environment Variables on top of the files supported in the old one.

ansible-galaxy collection install cyberark.conjur_collection
https://galaxy.ansible.com/cyberark/conjur_collection

Hi Joe,

Thank You for your input.

Just a thought, If my credentials are incorrect- in this scenario, I should see 401 error message when triggering below CURL command, but getting the required secret value.
curl -H “$(conjur authn authenticate -H)”
http://172.18.0.5:80/secrets/myConjurAccount/variable/db%2Fdbpass

Also, when I am using the {{ lookup(‘cyberark.conjur_collection.conjur_variable’, ‘/path/to/secret’) }}, i see below exception:
“msg”: “lookup plugin (cyberark.conjur_collection.conjur_variable) not found”
did ansible-galaxy collection install cyberark.conjur_collection and required variables are already set.

Moreover, authn token from ansible playbook output i.e. when getting an error (refer below error), when using this token via command:

curl -H “Authorization: Token token=“eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkzTTJVeE5URTRORFl5TnpoaU1qazNaakV3TkRWbU1UWmxOMkk1TmpVeVl5SjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTROalEyTVRrMU1IMD0iLCJzaWduYXR1cmUiOiJMcUxQY2xQUFNjdGVXNlNfVzFkb2pZbVZlYnVldld1LXRQV3kzcnNNMWh1enVENUVTcXFnSlk4ZkE5NFJOMTVSYmZCS3hyX2NodUhrVkY0bEpubnRfUDRyZHM4c1RXQks0VVY1cUVmR2hwMU05dnhXUy01Y2IyV054bVZDdkZ3Sk04S1VYQWVOUnlkX0l1OFVlU0J3U1NWYXd0cjl1X0NhVHJRUkw2RkNUOWVGS2pQWWZoaHQta2ZjeVNFSDMwb0o3Q0pQSjhVWTgyZzdQZnltZXlkVjNxUmUzdnZMSmF1dWRSVlRzVkszWXVhbHhmRjJkOEpDbGJaWnhURHJtT2NLc3ZzbElPTkFMMExQc0hiOHFmMlVna3otZnpCWUE3NFU3UW9yRkN2aElwYU1sdTNSVGUxVVhrN2xzcUR4LWZxRGFOUjVUb1lnS05IUkRYa2lqMU1FU25ZU1JMMzAzcktmY19wWVpmUUhfY1ZLMVgtd2dwR1Yzc3NBaWtZTUF2MDIifQ==””
http://172.18.0.5:80/secrets/myConjurAccount/variable/db%2Fdbpass

This works!!! but via ansible it doesn’t. I am not sure why in token in error log below, I see token starting from"\b"

TASK [debug] ******************************************************************************************************************************

task path: /home/fedora/ansible/conjur-quickstart/ansible_project/playbook.yml:14

conf file: /etc/conjur.conf

Loading configuration from: /etc/conjur.conf

identity file: /etc/conjur.identity

Loading identity from: /etc/conjur.identity for http://172.18.0.5:80

Authentication request to Conjur at: http://172.18.0.5:80/authn/myConjurAccount/admin/authenticate, with user: admin

Header: {‘Authorization’: ‘Token token="b’eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkzTTJVeE5URTRORFl5TnpoaU1qazNaakV3TkRWbU1UWmxOMkk1TmpVeVl5SjkiLCJwYXlsb2FkIjoiZXlKemRXSWlPaUpoWkcxcGJpSXNJbWxoZENJNk1UVTROalEyTXpJeU9IMD0iLCJzaWduYXR1cmUiOiJxaHpmMlE0OU8xN0dEcV9haUNfdENtbGYyc1ZycndqZDM2RWNYOXB2SlRpbUFlN3RySVlrR05uTmdqUWZlc2x1V2NiYzhkR04yVHdfalNMV3NmYnM1QXFxY3BVR1ZSZVNIVnk2Q2RZLUVQRE16VDJETndwRXRPdEhPTU5NNHpDS01tSXY2dTdzODJPSmZuMl8yU1pySEJfT1IzTVBNTHpUbjVaMTBSMGxGRHgyODUzZVo4WTZtZEdQMVl6ZWFUNVNrMzcyLTRMSnhOdlBoMjNoUDZBeWhTTERwbWs2S0RxX0tKVGh3VWREU29YbUVCb1hic0xqcllyNFljWEs0ZFlkQjRZZzYzLU4yaVU3WXBMQkRhUDRjRl9nUTdQNHVqVXozTmYwcjlDY0F6UnowQXdxSUJ6cDhuNndhTFN2M1U2d19WQ3NDY2J2SmpYNWFGSDE2SzJfU0ZnUGFLS0hHNzBqSTZLY2xWak1USktrTmI2cm9LLW91SVdSNWU0cXZxbnMifQ==’"’}

Conjur Variable URL: http://172.18.0.5:80/secrets/myConjurAccount/variable/db%2Fdbpass

fatal: [localhost]: FAILED! => {

“msg”: “An unhandled exception occurred while running the lookup plugin ‘conjur_variable’. Error was a <class ‘urllib.error.HTTPError’>, original message: HTTP Error 401: Unauthorized”
}
Thank You.

Hi Nathan,

Could you please let me know which log file i should refer to. I have docker container running and localhost is used as conjur_host machine.

Thank you.

Hi Nathan,
conjur.txt (259.2 KB)
I am able to get the logs but I don’t see any exception.

Refer attached file.conjur.txt (259.2 KB)

Hi Ajay,

I would validate the api key located in the /etc/conjur.identity file is the api key for the admin user.
Also when we perform the authentication method we should be providing the api key not the access token.

Thanks,
Andrew