Granting permissions to synced Secrets via synchronizer

How do I grant permission for a Jenkins host to secrets that were synced using Synchronizer?

My current environment:
Host: jenkins-frontend-dev/frontend-dev-01

Group that were created with synchronizer: Server01/Conjursync1/DAP_Sync2_dev-admins; Server01/ConjurSync1/DAP_Sync2_dev-consumers

Secrets:
Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/password
Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/Username

I typically recommend having a safe per application.
In this case the jenkins host is the application.

So to give the !host jenkins-frontend-dev/frontend-dev-01 the ability to read secrets from the safe DAP_Sync2_Dev

To do this I would load the following policy

- !grant
  role: !group Server01/ConjurSync1/DAP_Sync2_Dev/delegation/consumers
  member: !host jenkins-frontend-dev/frontend-dev-01

If you want granular control of secrets and only want the jenkins host access to the secrets above then load the following policy

- !permit
  role: !host jenkins-frontend-dev/frontend-dev-01
  privilege: [ read, execute ]
  resources:
  - !variable Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/username
  - !variable Server01/ConjurSync1/DAP_Sync2_Dev/Cloud Service-AWSAccessKeys-CyberarkUser1/password

Hopefully this answers your question. Please let me know if you have any other questions.

Regards,
Andrew

1 Like

Hi Sack,

If I was able to answer your question could you please mark my response as solved.

Thanks a bunch,
Andrew

1 Like