How to Recover a "Misplaced" API Key

So, you’ve gone through the Conjur Quick-Start Tutorials, shutdown your Docker containers, and closed your terminal. Tomorrow morning comes around, and you’re loading up your machine to do more Conjur Tutorials, but oh, no! You realize you never saved the Admin API key that you created last time!

Don’t worry, you don’t have to create a whole new Conjur instance from scratch.

  • Start up the Conjur Docker containers like normal
  • Before opening up a shell in the container
    • Make sure you’re in the directory with Conjur
    • Run this in your terminal:
      docker-compose exec conjur conjurctl role retrieve-key {account}:user:{username}

This will output the API key for the account you’re looking for. To prevent this problem in the future, I would recommend setting a password for human user’s, using this or the command conjur [global options] user update_password [-p arg|--password arg]


I ran through the tutorial to test this out and it worked as expected. This is cool.

When will the conjur-cli Ruby gem get this functionality? I did update to 6.2.1 and don’t see the conjurctl sub-command yet.

Thanks Chris! Glad it was helpful. As for your question, the Conjur container and the Conjur CLI container are separate. The conjurctl command is executed into “conjur” which is the default name in the docker-compose for the Conjur container. The default name for the Conjur CLI in the docker-compose is “client”. When you’re using conjur example commands you are executing on the CLI container, but all conjurctl example commands are executed directly into the Conjur server. I hope that clears up any confusion.

Okay. That makes sense. I didn’t look at the command closely enough. Is the conjurctl command available in Enterprise Conjur?

I’m unable to run it. This is from inside my AAM/DAP container:

root@495e1163e4f8:~# which conjurctl
root@495e1163e4f8:~# find / -name conjurctl -type f 2>/dev/null
root@495e1163e4f8:~# /opt/conjur/possum/bin/conjurctl help
Traceback (most recent call last):
4: from /opt/conjur/possum/bin/conjurctl:8:in <main>' 3: from /opt/conjur/possum/bin/conjurctl:8:inload’
2: from /opt/conjur/possum/bin/conjur-cli.rb:3:in <top (required)>' 1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:inrequire’
/usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require’: cannot load such file – gli (LoadError)

I was talking about open source. conjurctl doesn’t work in DAP

Hi Jake, would you update the title to reflect open source then? I lost time on the enterprise assumption as well. Better yet, if the use case of discovering the api key can play out in enterprise DAP, then include that in the how-to.
Thanks! -Andy

1 Like

Just updated, sorry for the confusion. I only work with OS, but I was actually just working with people to find the DAP equivalent. I’ll add it to this post as soon as I find it.

1 Like

I’ll be interested in this as well. We’re currently on-boarding PCF apps to our DAP implementation and I like to be able to test which secrets a specific application can see by logging into the conjur CLI as that ‘host’, after I’ve updated the policy to grant that access.

Hi jake

I am getting error: role do not exist : myConjurAccount :user : priya
error : Key retrieval failed

Thanks Jake
Its Working!! Previously i am trying with user priya which does not even exist

1 Like

No problem! Let me know if there’s any other FAQs you’d like me to post or if I could improve any of the ones I’ve already made

1 Like

Hi Jake,
I tried to generate a conjur token but getting error " curl (7) : failed to connect to proxy port 443: Connection Refused " . Can you please help me in solving this

Could you please give me some more details about this and possibly the commands that you ran leading up to the error?

1 Like

When I tried using this command “curl -d “” -k https://proxy/authn/myConjurAccount/host%2FBotApp%2FmyDemoApp/authenticate > /tmp/conjur_token” I am getting this error "curl (7) Failed to connect to proxy port 443: Connection refused. I followed this document to setup Conjur OSS environment ( using Docker Toolbox
Please let me know if you need any further details

Hi Vulli,

Is this related to this guide? This guide uses the CLI, so I’m not sure how it works with the API. If it’s not related to the guide it’d probably benefit you more to make a new topic in the #conjur category.


Yes it is related to that guide (Step 4 : Run the demo app) and i get this error when i trying to run the Botapp which comes as a part conjur oss files from github. I am using docker toolbox and i found that openssl container is not running. Is this openssl creating this curl error ?

@vullipriyanka this seems like you are having problems with the Quick Start Guide rather than this tutorial for recovering a lost API key. I think it’d be best if you started a new topic about this in the #conjur category, and we can help you solve this. Could you also give a list of the containers that are running when you make this post?

Hi Jake,
Lets continue our discussion here Conjur - port 443 error

1 Like