Hi,
I am trying to revoke a grant and it’s not working as expected.
This is the grant policy:
- !grant
role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
members:
- !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230
- !grant
role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
members:
- !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8e1d5b10-5874-4af2-bedb-7e313d0dd3d5
- !grant
role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
members:
- !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8a808b8d-918a-46ca-819b-5b7d8303fe83
…and the revoke policy:
- !revoke
role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
member: !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230- !revoke
role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
member: !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8e1d5b10-5874-4af2-bedb-7e313d0dd3d5- !revoke
role: !group QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/delegation/consumers
member: !layer /pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/8a808b8d-918a-46ca-819b-5b7d8303fe83
…and the loading of the policy:
[clb10@C02FG288MD6PMBP ~/tmp/Conjur_Policy_NP:master]# conjur policy load --delete root ~/tmp/revoke_RITM0410248.yml
Loaded policy ‘root’
{
“created_roles”: {
},
“version”: 606
}
But when I login to the CLI as this PCF space, I can still see the secrets I’m trying to revoke:
[clb10@C02FG288MD6PMBP ~/add_account]# conjur authn login -u host/pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230
Please enter host/pcf/pcf-np/25d20389-7f47-446c-b1e0-4c35e883ea0e/6e556746-ee3b-4c6e-b26c-f39e3685f230’s password (it will not be echoed):
Logged in
[clb10@C02FG288MD6PMBP ~/add_account]# conjur list
[
“REDACTED:variable:QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/account/password”,
“REDACTED:variable:QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/account/address”,
“REDACTED:variable:QA-CyberArkVault/PCF/DAP_PCF_RITM0410248/account/username”,
…
What am I missing?