First time trying to get the conjur-iam-api client authorized against conjur host using an IAM role
Below is the url (generated by the get_conjur_iam_session_token method) i am getting the 401 error on
‘https://<company.com>/authn-iam/aws/prod/0292xxx891%2FHydraDatamartTaskHost/authenticate’

The arn in the above url should be something like 0292xxxx891/HydraDatamartTaskHost instead the url formed is encoded with %2 for /

We have checked the policy looks okay via the UI. The ARN is a member of the group permitting use of the IAM authenticator.

=================================
Here is the code snippet

from conjur_iam_client import *
import os

file = ‘certchain.pem’
filepath = os.path.realpath(file)
os.environ[‘CONJUR_ACCOUNT’] = ‘prod’
os.environ[‘CONJUR_APPLIANCE_URL’]=‘https://<company.com>’
os.environ[‘AUTHN_IAM_SERVICE_ID’]=‘aws’
os.environ[‘CONJUR_CERT_FILE’]= filepath

conjur_api_key = create_conjur_iam_api_key()
print(conjur_api_key)

appliance_url = os.environ[‘CONJUR_APPLIANCE_URL’]
account = os.environ[‘CONJUR_ACCOUNT’]
service_id = os.environ[‘AUTHN_IAM_SERVICE_ID’]
cert_file = os.environ[‘CONJUR_CERT_FILE’]
conjur_account = os.environ[‘CONJUR_ACCOUNT’]
username = “029298672891/HydraDatamartTaskHost”

conjur_session_token = get_conjur_iam_session_token(appliance_url, conjur_account, service_id, username, cert_file)
print(conjur_session_token)

we appreciate the response.

Hi,

Could you please provide the policy you are loading.

Also could you perform the following command docker exec conjur-master cat /opt/conjur/etc/conjur.conf

We have to make sure our CONJUR_AUTHENTICATOR env variable contains authn-iam/aws.

Thanks,
Andrew

Hi Andrew, thanks for the reply!

We did not have the environment variable authn-iam/aws set on the master yesterday. The behavior after setting the variable didn’t change this morning, still getting the 401.

We looked at the audit.log on the appliance /var/log/conjur but only saw UI logins, there is no log entry from the IAM authenticator (via the script). Is there any other location you can suggest that we can look for the error logs?

Here is the policy that is meant for allowing the host (ARN)

# Policy namespace for safe SERV_HYDRADATAMART
- !host SERV_HYDRADATAMART_host
- !policy
  id: SERV_HYDRADATAMART
  owner: !host SERV_HYDRADATAMART_host

  # this creates a group for use in subsequent grant statements
  # the team we delegate management of the policy can manage members of the group
  body:
  - !group SERV_HYDRADATAMART_readonly

  # this allow use of the iam authenticator
  # the path to the group name is fully qualified to host - because the current context is root policy
- !grant
  role: !group conjur/authn-iam/prod/clients
  members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly

  # the group name appear in Conjur UI in the ID column of "Groups" tile
  # it can be assembled easily - most parts are static.
  # structure: vault_integration/lob user/safe name/delegation/consumers
  # the path to the group name is fully qualified to host - because the current context is root policy
- !grant
  role: !group prod_vault/Prod/SERV_HYDRADATAMART/delegation/consumers
  members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly

# Permit the IAM role to login into conjur
- !host 029298672891/HydraDatamartTaskHost
- !grant
  role: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
  member: !host 029298672891/HydraDatamartTaskHost

Please see the docker exec output below:

core@ip-10-177-240-247 ~ $ docker exec conjur-appliance cat /opt/conjur/etc/conjur.conf
CONJUR_ACCOUNT=prod
ENABLED=true
LOG_LEVEL=warn
TRUSTED_PROXIES=127.0.0.1/32
CLUSTER_NAME=master-cluster
CLUSTER_MACHINE_NAME=USW2ITVACMST01.tsi.lan
CLUSTER_MACHINE_ADDRESS=USW2ITVACMST01.tsi.lan
ETCD_INITIAL_CLUSTER=USW2ITVACMST01.tsi.lan=http://USW2ITVACMST01.tsi.lan:2380,USW2ITVACMST02.tsi.lan=http://USW2ITVACMST02.tsi.lan:2380,USW2ITVACMST03.tsi.lan=http://USW2ITVACMST03.tsi.lan:2380,USW2ITVACMST04.tsi.lan=http://USW2ITVACMST04.tsi.lan:2380
ETCD_INITIAL_CLUSTER_STATE=new
DATABASE_URL=postgres:///conjur
CONJUR_AUTHENTICATORS=authn-iam/aws

The CONJUR_AUTHENTICATOR is incorrect. It should be CONJUR_AUTHENTICATORS=authn-iam/prod since your service ID Is prod and not aws mentioned here:

• !grant
  role: !group conjur/authn-iam/prod/clients
  members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly

And

must be changed to os.environ[‘AUTHN_IAM_SERVICE_ID’]=‘prod’

Also after modifying the /opt/conjur/etc/conjur.conf file you must restart the service by executing docker exec conjur-appliance sv restart conjur

Thanks. We are still getting the 401 trying to auth to conjur.
Here is the resulting conjur url that got put together with the given parameters as you suggested:

‘https://usw2itvacmst01.tsi.lan/authn-iam/prod/prod/029298672891%2FHydraDatamartTaskHost/authenticate’

We made sure the conjur.conf file and the policy.yml have the expected entries, also restarted the appliance.

please see the assembled policy yml

---
- !policy
  id: conjur
  body:
    - !policy
        id: cluster/master-cluster
        body:
        - !layer
        - &hosts
          - !host
            id: USW2ITVACMST01.tsi.lan
          - !host
            id: USW2ITVACMST02.tsi.lan
          - !host
            id: USW2ITVACMST03.tsi.lan
          - !host
            id: USW2ITVACMST04.tsi.lan
        - !grant
          role: !layer
          member: *hosts 
#AUTHN-IAM Policy
#Policy ID needs to match the convetion "conjur/authn-iam/<Service ID>"
    - !policy
      id: authn-iam/prod
      body:
      - !webservice
      - !group clients
      - !permit
        role: !group clients
        privilege: [ read, authenticate ]
        resource: !webservice

# Synchronizer Policy
- !group
  id: prod_vault-admins
- !host
  id: Sync_USW2ITVWCPM01
- !grant
  role:
  - !group prod_vault-admins
  members:
  - !host Sync_USW2ITVWCPM01
- !policy
  id: prod_vault 
  owner: !group prod_vault-admins

# cyberarkproduction Policy - safe SERV_CYBERARKPRODUCTION
- !host cyberarkproduction

- !policy
  id: serv_cyberarkproduction_policy
  owner: !host cyberarkproduction

  # this creates a group for use in subsequent grant statements
  # the team we delegate management of the policy can manage members of the group
  body:
  - !group cyberarkproduction_readonly

- # this allow use of the iam authenticator
  !grant
  role: !group conjur/authn-iam/prod/clients
  # the path to the group name is fully qualified to host - because the current context is root policy
  members: !group serv_cyberarkproduction_policy/cyberarkproduction_readonly

- !grant
  # the group name appear in Conjur UI in the ID column of "Groups" tile
  # it can be assembled easily - most parts are static.
  # structure: vault_integration/lob user/safe name/delegation/consumers
  role: !group prod_vault/Prod/SERV_CYBERARKPRODUCTION/delegation/consumers
  # the path to the group name is fully qualified to host - because the current context is root policy
  members: !group serv_cyberarkproduction_policy/cyberarkproduction_readonly

  # the file needs a newline at the end to assist concatenation
# Policy namespace for safe SERV_HYDRADATAMART
- !host SERV_HYDRADATAMART_host
- !policy
  id: SERV_HYDRADATAMART
  owner: !host SERV_HYDRADATAMART_host

  # this creates a group for use in subsequent grant statements
  # the team we delegate management of the policy can manage members of the group
  body:
  - !group SERV_HYDRADATAMART_readonly

  # this allow use of the iam authenticator
  # the path to the group name is fully qualified to host - because the current context is root policy
- !grant
  role: !group conjur/authn-iam/prod/clients
  members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly

  # the group name appear in Conjur UI in the ID column of "Groups" tile
  # it can be assembled easily - most parts are static.
  # structure: vault_integration/lob user/safe name/delegation/consumers
  # the path to the group name is fully qualified to host - because the current context is root policy
- !grant
  role: !group prod_vault/Prod/SERV_HYDRADATAMART/delegation/consumers
  members: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly

# Permit the IAM role to login into conjur
- !host 029298672891/HydraDatamartTaskHost
- !grant
  role: !group SERV_HYDRADATAMART/SERV_HYDRADATAMART_readonly
  member: !host 029298672891/HydraDatamartTaskHost

This issue has been resolved.
The github repo had a bug.
The resolution can be found here

The reason it was failing is the IAM service is a global service which means when we construct our signed header it must be signed with the ‘us-east-1’ region.

See #2 on the AWS documentation: https://docs.aws.amazon.com/general/latest/gr/sigv4_changes.html

That worked. Thank you!

Hey @vmaddirala vmaddirala, would you mind marking @AndrewCopeland’s response as the solution to test out our solved plugin?

I don’t have other options but these to mark it as a solution. Is there any other way to go about it.

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.