First time trying to get the conjur-iam-api client authorized against conjur host using an IAM role
Below is the url (generated by the get_conjur_iam_session_token method) i am getting the 401 error on
‘https://<company.com>/authn-iam/aws/prod/0292xxx891%2FHydraDatamartTaskHost/authenticate’
The arn in the above url should be something like 0292xxxx891/HydraDatamartTaskHost instead the url formed is encoded with %2 for /
We have checked the policy looks okay via the UI. The ARN is a member of the group permitting use of the IAM authenticator.
=================================
Here is the code snippet
We did not have the environment variable authn-iam/aws set on the master yesterday. The behavior after setting the variable didn’t change this morning, still getting the 401.
We looked at the audit.log on the appliance /var/log/conjur but only saw UI logins, there is no log entry from the IAM authenticator (via the script). Is there any other location you can suggest that we can look for the error logs?
Here is the policy that is meant for allowing the host (ARN)
# Policy namespace for safe SERV_HYDRADATAMART
- !host SERV_HYDRADATAMART_host
- !policy
id: SERV_HYDRADATAMART
owner: !host SERV_HYDRADATAMART_host
# this creates a group for use in subsequent grant statements
# the team we delegate management of the policy can manage members of the group
body:
- !group SERV_HYDRADATAMART_readonly
# this allow use of the iam authenticator
# the path to the group name is fully qualified to host - because the current context is root policy
- !grant
role: !group conjur/authn-iam/prod/clients
members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
# the group name appear in Conjur UI in the ID column of "Groups" tile
# it can be assembled easily - most parts are static.
# structure: vault_integration/lob user/safe name/delegation/consumers
# the path to the group name is fully qualified to host - because the current context is root policy
- !grant
role: !group prod_vault/Prod/SERV_HYDRADATAMART/delegation/consumers
members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
# Permit the IAM role to login into conjur
- !host 029298672891/HydraDatamartTaskHost
- !grant
role: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
member: !host 029298672891/HydraDatamartTaskHost
Thanks. We are still getting the 401 trying to auth to conjur.
Here is the resulting conjur url that got put together with the given parameters as you suggested:
---
- !policy
id: conjur
body:
- !policy
id: cluster/master-cluster
body:
- !layer
- &hosts
- !host
id: USW2ITVACMST01.tsi.lan
- !host
id: USW2ITVACMST02.tsi.lan
- !host
id: USW2ITVACMST03.tsi.lan
- !host
id: USW2ITVACMST04.tsi.lan
- !grant
role: !layer
member: *hosts
#AUTHN-IAM Policy
#Policy ID needs to match the convetion "conjur/authn-iam/<Service ID>"
- !policy
id: authn-iam/prod
body:
- !webservice
- !group clients
- !permit
role: !group clients
privilege: [ read, authenticate ]
resource: !webservice
# Synchronizer Policy
- !group
id: prod_vault-admins
- !host
id: Sync_USW2ITVWCPM01
- !grant
role:
- !group prod_vault-admins
members:
- !host Sync_USW2ITVWCPM01
- !policy
id: prod_vault
owner: !group prod_vault-admins
# cyberarkproduction Policy - safe SERV_CYBERARKPRODUCTION
- !host cyberarkproduction
- !policy
id: serv_cyberarkproduction_policy
owner: !host cyberarkproduction
# this creates a group for use in subsequent grant statements
# the team we delegate management of the policy can manage members of the group
body:
- !group cyberarkproduction_readonly
- # this allow use of the iam authenticator
!grant
role: !group conjur/authn-iam/prod/clients
# the path to the group name is fully qualified to host - because the current context is root policy
members: !group serv_cyberarkproduction_policy/cyberarkproduction_readonly
- !grant
# the group name appear in Conjur UI in the ID column of "Groups" tile
# it can be assembled easily - most parts are static.
# structure: vault_integration/lob user/safe name/delegation/consumers
role: !group prod_vault/Prod/SERV_CYBERARKPRODUCTION/delegation/consumers
# the path to the group name is fully qualified to host - because the current context is root policy
members: !group serv_cyberarkproduction_policy/cyberarkproduction_readonly
# the file needs a newline at the end to assist concatenation
# Policy namespace for safe SERV_HYDRADATAMART
- !host SERV_HYDRADATAMART_host
- !policy
id: SERV_HYDRADATAMART
owner: !host SERV_HYDRADATAMART_host
# this creates a group for use in subsequent grant statements
# the team we delegate management of the policy can manage members of the group
body:
- !group SERV_HYDRADATAMART_readonly
# this allow use of the iam authenticator
# the path to the group name is fully qualified to host - because the current context is root policy
- !grant
role: !group conjur/authn-iam/prod/clients
members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
# the group name appear in Conjur UI in the ID column of "Groups" tile
# it can be assembled easily - most parts are static.
# structure: vault_integration/lob user/safe name/delegation/consumers
# the path to the group name is fully qualified to host - because the current context is root policy
- !grant
role: !group prod_vault/Prod/SERV_HYDRADATAMART/delegation/consumers
members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
# Permit the IAM role to login into conjur
- !host 029298672891/HydraDatamartTaskHost
- !grant
role: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
member: !host 029298672891/HydraDatamartTaskHost
This issue has been resolved.
The github repo had a bug.
The resolution can be found here
The reason it was failing is the IAM service is a global service which means when we construct our signed header it must be signed with the ‘us-east-1’ region.