Sample ruby does not work?

Hi all,

I am following the sample ruby guide (https://www.conjur.org/get-started/tutorials/ruby-api/)

I cant seem to get the db values. I keep getting the error below. Any idea why this is so? I can log in with no issue at all…

irb(main):011:0> variable = conjur.resource("#{Conjur.configuration.account}:variable:db/password")
=> <Conjur::Variable id=‘myConjurAccount:variable:db/password’>
irb(main):012:0> puts variable.value
Traceback (most recent call last):
12: from /usr/bin/irb:11:in <main>' 11: from (irb):12 10: from /var/lib/gems/2.5.0/gems/conjur-api-5.3.3/lib/conjur/variable.rb:199:in value’
9: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/resource.rb:51:in get' 8: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in execute’
7: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in execute' 6: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/request.rb:727:in transmit’
5: from /usr/lib/ruby/2.5.0/net/http.rb:910:in start' 4: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/request.rb:743:in block in transmit’
3: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/request.rb:836:in process_result' 2: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:129:in return!’
1: from /var/lib/gems/2.5.0/gems/rest-client-2.1.0/lib/restclient/abstract_response.rb:249:in `exception_with_response’
RestClient::NotFound (404 Not Found)

Hey @leexhadrian,

I’m not sure the exact steps that you took or which version of Conjur or DAP you’re running, but I tried this out on my machine with the quick start Conjur.

It looks like the sample policy conjur.yml on the page you linked doesn’t actually entitle the host to retrieve the secret values; to do that, there would need to be a step where either the host myapp-01 or the layer myapp that the host is a member of is added as a member of the db/secret-users group. That is, the policy should have a section appended to the bottom that looks like this:

- !grant
  role: !group db/secrets-users
  member: !host myapp-01

You can update your conjur.yml file with this at the bottom and reload the policy using the --replace flag - for the quick start, the command looks like this (I put the file in conf/policy/):

docker-compose exec client conjur policy load --replace root /policy/conjur.yml

With this change, I was able to run through all of the steps in the Ruby tutorial:

conjur-quickstart$ irb
irb(main):001:0> require 'conjur-api'
=> true
irb(main):004:0> Conjur.configuration.appliance_url = 'https://localhost:8443'
=> "https://localhost:8443"
irb(main):005:0> Conjur.configuration.account = 'myConjurAccount'
=> "myConjurAccount"
irb(main):006:0> host_id = "host/myapp-01"
=> "host/myapp-01"
irb(main):007:0> api_key = "5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst"
=> "5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst"
irb(main):011:0> OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.add_file "conf/tls/nginx.crt"
=> #<OpenSSL::X509::Store:0x00007f803b84c4f8 @verify_callback=nil, @error=nil, @error_string=nil, @chain=nil, @time=nil>
irb(main):012:0> conjur = Conjur::API.new_from_key host_id, api_key
=> #<Conjur::API:0x00007f803a1ad300 @username="host/myapp-01", @api_key="5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst", @remote_ip=nil, @authenticator=#<Conjur::API::APIKeyAuthenticator:0x00007f803a1ad2d8 @account="myConjurAccount", @username="host/myapp-01", @api_key="5tz9251h5q7gn2p13sz2rkk7pnz2zrmpsehbbybjafheaazhst", @token_born=611797.017298>>
irb(main):024:0> puts conjur.token
{"protected"=>"eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiJiZmVlMjlhNjkyNjU1MzMzNDRkMzczNWM2ZmJjNWQ0YjNkNzdiMTQyMjE1NTRlNzY3MGEzMTFhYTRhNzBjMmY0In0=", "payload"=>"eyJzdWIiOiJob3N0L215YXBwLTAxIiwiaWF0IjoxNjAwMzY5NTYwfQ==", "signature"=>"B7yXTYmfg9pWywK8oFcqaMNGohF4JAnbm-KoXBRQcbusFo_DIx9oEhCQHM_LjK6lN26ZOPls06HXw5b5uz6V75DVJ_FjkYiTAg4Yo-Va5ljxVSCcQ2jiVN4SIog5fAey0K0BRtVyknmvlzrQaLPbYwZalfM_yEVgaYrW9FUugzDTv2N2DaI_h4Hphn8Jjup3slE9NuksQv7BvnSmrr-0rcX3DeoKbjngfho_T5M3N0oWgWAHwvxIc_ZyNwHntAV9GMNfZdhO6ZnDEbt2t-YX6r3x4NLJsgD8073RkXcUIQQnji3-Vb6Ez_ugiKvbagrDQpqKGRnA2gl4h1ylaXbSeAbEZtadH9DUbQQkrJX-xAKgNHkbNEGI53KWTBiKNapr"}
=> nil
irb(main):030:0> variable = conjur.resource("#{Conjur.configuration.account}:variable:db/password")
=> <Conjur::Variable id='myConjurAccount:variable:db/password'>
irb(main):031:0> puts variable.value
d23b2a850102481eea2fa509
=> nil

Note also that the policy will not show you that the host is permitted to execute on the webservice - for this to be the case, we’d also have to add the host to the backend/clients group:

- !grant
  role: !group backend/clients
  member: !host myapp-01

Appending this to the policy file and reloading it as above, I am now able to reproduce the commands:

irb(main):032:0> webservice = conjur.resource("#{Conjur.configuration.account}:webservice:backend")
=> <Conjur::Webservice id='myConjurAccount:webservice:backend'>
irb(main):035:0> puts webservice.permitted? 'execute'
true
=> nil
irb(main):036:0> puts webservice.permitted? 'update'
false
=> nil

I am able to run through the rest of the IRB flow from there.

Hope this helps, I’ll be flagging with our web team that the policy on this page is in need of an update. Thanks!

Hi @
izgerij

Thanks very much for this ! I am also using the quick start guide Let me try the docker-compose exec command u gave and it worked.

However, I tried the same steps in another environment: AWS. I tried to connect from my local computer to my AWS machine. XXXXXX is the ip of my AWS VM.

require ‘conjur-api’
Conjur.configuration.appliance_url = “https://XXXXXX:8443”
Conjur.configuration.account = “myConjurAccount”
host_id = “host/myapp-01”
api_key = “1x34aa51yydvq2f6r7tc1jnyqsy2agzx56w5q8511s9xeyz26a3prr”
OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.add_file “conf/tls/nginx.crt”
conjur = Conjur::API.new_from_key host_id, api_key
puts conjur.token

but got a

Traceback (most recent call last):
10: from (irb#1):8
9: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/conjur-api-5.3.3/lib/conjur/base.rb:153:in token' 8: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/conjur-api-5.3.3/lib/conjur/base.rb:331:in refresh_token’
7: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/conjur-api-5.3.3/lib/conjur/base.rb:221:in refresh_token' 6: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/conjur-api-5.3.3/lib/conjur/api/authn.rb:65:in authenticate’
5: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/rest-client-2.1.0/lib/restclient/resource.rb:69:in post' 4: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in execute’
3: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/rest-client-2.1.0/lib/restclient/request.rb:163:in execute' 2: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/rest-client-2.1.0/lib/restclient/request.rb:651:in transmit’
1: from /Users/adrianlee/.rbenv/versions/2.6.1/lib/ruby/gems/2.6.0/gems/rest-client-2.1.0/lib/restclient/request.rb:776:in `rescue in transmit’
RestClient::SSLCertificateNotVerified (SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate))

Sorry am a first time user of cyrberark and nginx so am unsure about why the certs are like this.

PS: I also tried to deploy a load balancer, upload my SSL certs but when I tried to do

docker-compose exec client conjur init -u https://xxx-aaaa.ap-southeast-1.elb.amazonaws.com:8443 -a myConjurAccount

SHA1 Fingerprint=6D:AB:73:3F:E6:FA:8D:10:78:C8:D1:7F:9E:D7:A5:81:B5:31:3B:1C

Please verify this certificate on the appliance using command:
              openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem

Trust this certificate (yes/no): yes
Wrote certificate to /root/conjur-myConjurAccount.pem
Wrote configuration to /root/.conjurrc

When I tried to do

docker-compose exec client conjur authn login -u admin
Please enter admin's password (it will not be echoed):
error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)

Are there any proper documents around where we can see how to configure on AWS? It seems the documents on cyberark quite lacking and makes it hard to evaluate against other tools like vault.

Hi all, I managed to get it working already. Managed to deploy to AWS also. The documents are quite lacking sometimes. Thats my only comment. Other than that it works.

@leexhadrian I’m sorry to hear you had trouble finding the info you needed in the docs. If you’d be willing to share which specific topics / sections you felt were lacking, I’ll get that into our backlog of items to improve.

I’m glad you were able to get it working in any case