**NEW** Conjur authn-iam Python Client

I am pleased to share a new Conjur Community project - a Python client for using Conjur with authn-iam!

When you use this project, you’ll find it’s even easier to leverage AWS IAM to authenticate with Conjur - which helps especially when using Lambda functions and other AWS-native tools that require secret data from Conjur.

You can find the project in GitHub here - please check it out if you’re working with Python in AWS with Conjur and want to make it even easier!

If you have any questions, you can get in touch with the maintainer (@AndrewCopeland) here or file a GitHub issue.

Feel free to make a post or reach out to me if you run into any issues.

SIlly question. So, the cert_file = ‘conjur-cert.pem’? Is that just the public cert for the follower VIP? And the CA chain is in /etc/ssl/certs/ca-certificates.crt?

Hey @archerbj! The cert_file variable should point to the location of a file with the PEM-encoded x509 CA certificate chain for the DAP / Conjur instance you are connecting to. This value may be obtained by running the command:

$ openssl s_client -showcerts -servername [DAP_INSTANCE_DNS_NAME] \
    -connect [DAP_INSTANCE_DNS_NAME]:443 < /dev/null 2> /dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

That’s one awesome command.

Exactly what we needed.

Thank you!

Okay, so we’re attempting the EC2 sample script:
from conjur import Client
from conjur_iam_client import create_conjur_iam_client_from_env

conjur_client = create_conjur_iam_client_from_env()
conjur_list = conjur_client.list()

and getting a 401 error. So, obviously not grasping something about the ENV variables.

Notes: I’ve obfuscated the account details. Also, the secrets are Synchronized from a Vault.

The ARN is in the form:
“InstanceProfileArn” : “arn:aws:iam::123456789876:instance-profile/aws-test-ec2-test-role”

Setting the environment variables
export CONJUR_APPLIANCE_URL=https://conjur.americancentury.com export AUTHN_IAM_SERVICE_ID=prod
export CONJUR_AUTHN_LOGIN=host/123456789876/aws-test-ec2-test-role export CONJUR_CERT_FILE=./conjur.pem
$ export CONJUR_ACCOUNT=OurConjurAcct

On the Conjur policy side (from ‘conjur list’):
“OurConjurAcct:policy:conjur/authn-iam/prod”,
“OurConjurAcct:webservice:conjur/authn-iam/prod”,
“OurConjurAcct:group:conjur/authn-iam/prod/clients”
…
“OurConjurAcct:policy:conjur/authn-iam/prod/IAMmySecretTest”,
“OurConjurAcct:group:conjur/authn-iam/prod/IAMmySecretTest/secrets_grp”,
“OurConjurAcct:layer:conjur/authn-iam/prod/IAMmySecretTest”,
“OurConjurAcct:host:conjur/authn-iam/prod/IAMmySecretTest/123456789876:role/aws-test-ec2-test-role”

Note: We tried to followed the Conjur documentation for setting up the IAM Authenticator policies.

EC2 python script error:
conjur_iam_client.ConjurIAMAuthnException: Conjur IAM authentication failed with 401 - Unauthorized. Check conjur logs for more information

From Follower nginx log:
“POST /authn-iam/prod/OurConjurAcct/host%2FIAMmySecretTest%2F123456789876%2Faws-test-ec2-test-role/authenticate HTTP/1.1” 401 5 “-” “python-requests/2.24.0” 0.006 0.005

Thanks!

Barry

Hi Barry,

I mentioned this in our email exchange, but figured it might help others to post it here as well. I think your host definition is incorrect. Specifically, the :role portion is not required. The host should be just conjur/authn-iam/prod/IAMmySecretTest/123456789876/aws-test-ec2-test-role. Please let us know how that goes.

Nate

Yes, that definitely helped.

We also found that we needed to make sure that the host entries match between the app policy (where we defined the aws host acct/role) and the policy giving the host permission to use the authn-iam authenticator.

And review all the changes to do a sanity check while troubleshooting.

We’re now working in EC2. Very cool.

Thank you all!