Revoking a grant

Hi,

I am trying to revoke a grant and it’s not working as expected.

This is the grant policy:

  • !grant
    role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
    members:
    • !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230
  • !grant
    role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
    members:
    • !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8e1d5b10-5874-4af2-bedb-7e313d0dd3d5
  • !grant
    role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
    members:
    • !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8a808b8d-918a-46ca-819b-5b7d8303fe83

…and the revoke policy:

  • !revoke
    role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
    member: !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230
  • !revoke
    role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
    member: !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8e1d5b10-5874-4af2-bedb-7e313d0dd3d5
  • !revoke
    role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
    member: !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8a808b8d-918a-46ca-819b-5b7d8303fe83

…and the loading of the policy:

[clb10@C02FG288MD6PMBP ~/tmp/Conjur_Policy_NP:master]# conjur policy load --delete root ~/tmp/revoke_RITM0410248.yml
Loaded policy ‘root’
{
“created_roles”: {
},
“version”: 606
}

But when I login to the CLI as this PCF space, I can still see the secrets I’m trying to revoke:

[clb10@C02FG288MD6PMBP ~/add_account]# conjur authn login -u host/pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230
Please enter host/pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230’s password (it will not be echoed):
Logged in
[clb10@C02FG288MD6PMBP ~/add_account]# conjur list
[
“REDACTED:variable:QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/account/password”,
“REDACTED:variable:QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/account/address”,
“REDACTED:variable:QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/account/username”,

What am I missing?

Hi Chris,
What Conjur version are you using? Is it below 1.8.1?

Rob

We are running 10.11, which was not released GA and is kind of equivalent to 11.0.