conjur-authn-iam-client
Authenticate AWS resources (EC2, Lambda, ECS) with Conjur and easily retrieve secrets.
Certification level
This repo is a Community level project. It's a community contributed project that is not reviewed or supported
by CyberArk. For more detailed information on our certification levels, see our community guidelines.
Requirements
Usage instructions
- Write access token to a file. Use the
-token-path
flag.
- Retrieve a secret from Conjur. Use the
-secret
flag.
- Write Conjur access token to stdout that can be used in a bash script. Do not set the
-secret
or -token-path
flags.
$ ./authenticator -h
Usage of ./authenticator:
-account string
The Conjur account. Environment variable equivalent 'CONJUR_ACCOUNT'. e.g. company, etc
-authn-url string
URL Conjur will be authenticating to. Environment variable equivalent 'CONJUR_AUTHN_URL'. e.g. https://conjur.com/authn-iam/global
-aws-name string
AWS Resource type name. Environment variable equivalent 'CONJUR_AWS_TYPE'. e.g. ec2, lambda, ecs
-ignore-ssl-verify
WARNING: Do not verify the SSL certificate provided by Conjur server. THIS SHOULD ONLY BE USED FOR POC
-login string
Conjur login that will be used. Environment variable equivalent 'CONJUR_AUTHN_LOGIN'. e.g. host/6634674884744/iam-role-name
-secret string
Retrieve a specific secret from Conjur. e.g. db/postgres/username
-silence
Silence debug and info messages
-token-path string
Write the access token to this file. Environment variable equivalent 'CONJUR_ACCESS_TOKEN_PATH'. e.g. /path/to/access-token.json
-url string
The URL to the Conjur instance. Environment variable equivalent 'CONJUR_APPLIANCE_URL'. e.g. https://conjur.com
Examples
Get Conjur Access Token
./authenticator -aws-name ec2 \
-account conjur \
-url https://conjur-master \
-authn-url https://conjur-master/authn-iam/global \
-login host/team1/622705945757/ubuntu-client-conjur-identity
Get Secret
./authenticator -aws-name ec2 \
-account conjur \
-url https://conjur-master \
-authn-url https://conjur-master/authn-iam/global \
-login host/team1/622705945757/ubuntu-client-conjur-identity \
-secret path/to/secret
-silence
Write Conjur Access Token to file
./authenticator -aws-name ec2 \
-account conjur \
-url https://conjur-master \
-authn-url https://conjur-master/authn-iam/global \
-login host/team1/622705945757/ubuntu-client-conjur-identity
-token-path /path/conjur/access.json
EC2
More information about authenticating EC2 instances
Lambda
More information about authenticating Lambda functions
ECS/Fargate
More information about authenticating ECS/Fargate containers
Contributing
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions
of our development workflows, please see our contributing guide.
License
Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
For the full license text see LICENSE
.