How do I grant permission for a Jenkins host to secrets that were synced using Synchronizer?
My current environment:
Host: jenkins-frontend-dev/frontend-dev-01
Group that were created with synchronizer: Server01/Conjursync1/DAP_Sync2_dev-admins; Server01/ConjurSync1/DAP_Sync2_dev-consumers
Secrets:
Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/password
Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/Username
I typically recommend having a safe per application.
In this case the jenkins host is the application.
So to give the !host jenkins-frontend-dev/frontend-dev-01 the ability to read secrets from the safe DAP_Sync2_Dev
To do this I would load the following policy
- !grant
role: !group Server01/ConjurSync1/DAP_Sync2_Dev/delegation/consumers
member: !host jenkins-frontend-dev/frontend-dev-01
If you want granular control of secrets and only want the jenkins host access to the secrets above then load the following policy
- !permit
role: !host jenkins-frontend-dev/frontend-dev-01
privilege: [ read, execute ]
resources:
- !variable Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/username
- !variable Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/password
Hopefully this answers your question. Please let me know if you have any other questions.
Regards,
Andrew
Hi Sack,
If I was able to answer your question could you please mark my response as solved.
Thanks a bunch,
Andrew
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.