Hey @leexhadrian,
I’m not sure the exact steps that you took or which version of Conjur or DAP you’re running, but I tried this out on my machine with the quick start Conjur.
It looks like the sample policy conjur.yml
on the page you linked doesn’t actually entitle the host to retrieve the secret values; to do that, there would need to be a step where either the host myapp-01
or the layer myapp
that the host is a member of is added as a member of the db/secret-users
group. That is, the policy should have a section appended to the bottom that looks like this:
- !grant
role: !group db/secrets-users
member: !host myapp-01
You can update your conjur.yml
file with this at the bottom and reload the policy using the --replace
flag - for the quick start, the command looks like this (I put the file in conf/policy/
):
docker-compose exec client conjur policy load --replace root /policy/conjur.yml
With this change, I was able to run through all of the steps in the Ruby tutorial:
conjur-quickstart$ irb
irb(main):001:0> require 'conjur-api'
=> true
irb(main):004:0> Conjur.configuration.appliance_url = 'https://localhost:8443'
=> "https://localhost:8443"
irb(main):005:0> Conjur.configuration.account = 'myConjurAccount'
=> "myConjurAccount"
irb(main):006:0> host_id = "host/myapp-01"
=> "host/myapp-01"
irb(main):007:0> api_key = "5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst"
=> "5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst"
irb(main):011:0> OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.add_file "conf/tls/nginx.crt"
=> #<OpenSSL::X509::Store:0x00007f803b84c4f8 @verify_callback=nil, @error=nil, @error_string=nil, @chain=nil, @time=nil>
irb(main):012:0> conjur = Conjur::API.new_from_key host_id, api_key
=> #<Conjur::API:0x00007f803a1ad300 @username="host/myapp-01", @api_key="5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst", @remote_ip=nil, @authenticator=#<Conjur::API::APIKeyAuthenticator:0x00007f803a1ad2d8 @account="myConjurAccount", @username="host/myapp-01", @api_key="5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst", @token_born=611797.017298>>
irb(main):024:0> puts conjur.token
{"protected"=>"eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiJiZmVlMjlhNjkyNjU1MzMzNDRkMzczNWM2ZmJjNWQ0YjNkNzdiMTQyMjE1NTRlNzY3MGEzMTFhYTRhNzBjMmY0In0=", "payload"=>"eyJzdWIiOiJob3N0L215YXBwLTAxIiwiaWF0IjoxNjAwMzY5NTYwfQ==", "signature"=>"B7yXTYmfg9pWywK8oFcqaMNGohF4JAnbm-KoXBRQcbusFo_DIx9oEhCQHM_LjK6lN26ZOPls06HXw5b5uz6V75DVJ_FjkYiTAg4Yo-Va5ljxVSCcQ2jiVN4SIog5fAey0K0BRtVyknmvlzrQaLPbYwZalfM_yEVgaYrW9FUugzDTv2N2DaI_h4Hphn8Jjup3slE9NuksQv7BvnSmrr-0rcX3DeoKbjngfho_T5M3N0oWgWAHwvxIc_ZyNwHntAV9GMNfZdhO6ZnDEbt2t-YX6r3x4NLJsgD8073RkXcUIQQnji3-Vb6Ez_ugiKvbagrDQpqKGRnA2gl4h1ylaXbSeAbEZtadH9DUbQQkrJX-xAKgNHkbNEGI53KWTBiKNapr"}
=> nil
irb(main):030:0> variable = conjur.resource("#{Conjur.configuration.account}:variable:db/password")
=> <Conjur::Variable id='myConjurAccount:variable:db/password'>
irb(main):031:0> puts variable.value
d23b2a850102481eea2fa509
=> nil
Note also that the policy will not show you that the host is permitted to execute
on the webservice - for this to be the case, we’d also have to add the host to the backend/clients
group:
- !grant
role: !group backend/clients
member: !host myapp-01
Appending this to the policy file and reloading it as above, I am now able to reproduce the commands:
irb(main):032:0> webservice = conjur.resource("#{Conjur.configuration.account}:webservice:backend")
=> <Conjur::Webservice id='myConjurAccount:webservice:backend'>
irb(main):035:0> puts webservice.permitted? 'execute'
true
=> nil
irb(main):036:0> puts webservice.permitted? 'update'
false
=> nil
I am able to run through the rest of the IRB flow from there.
Hope this helps, I’ll be flagging with our web team that the policy on this page is in need of an update. Thanks!