Home / How-to Guides
Edit
Report

Configure CyberArk Conjur as a vault backend

Uses: Kong Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Incompatible with
konnect
Tags
#secrets-management #security #cyberark-conjur
Related Resources
Secrets management
Configuration parameters for CyberArk Conjur vaults
Minimum Version
Kong Gateway - 3.11
TL;DR

Configure a Vault entity with config.auth_method: api_key, your Conjur endpoint URL (config.endpoint_url), account name (config.account), login (config.login), and API key (config.api_key). Reference the secret like {vault://conjur-vault/BotApp%2FsecretVar}, assuming your Vault prefix is conjur-vault and your secret was stored as BotApp/secretVar.

Prerequisites

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

CyberArk Conjur

To run this tutorial, you’ll need CyberArk Conjur running with a secret stored.

If you don’t already have CyberArk Conjur, you can follow the Docker quickstart guide to setup an OSS environment, define a policy, and store a secret.

If you’re running Conjur in Docker, change the proxy ports in docker-compose.yml to "9443:443". Make sure the Kong Gateway and Conjur containers are using the same Docker network. If they aren’t, you can run docker network connect kong-quickstart-net conjur_server to connect the Conjur compose stack to the Kong Gateway quickstart network.

Export the Conjur environment variables:

export DECK_CONJUR_ENDPOINT_URL='http://conjur_server:80'
export DECK_CONJUR_ACCOUNT='myConjurAccount'
export DECK_CONJUR_LOGIN='host/BotApp/myDemoApp'
export DECK_CONJUR_API_KEY='YOUR-API-KEY'

These environment variables use values from the Conjur Docker quickstart. If you are running Conjur in a different environment, modify them as needed.

You can find your API key listed under myConjurAccount:host:BotApp/myDemoApp in the my_app_data file.

Create a Vault entity for HashiCorp Vault

Using decK, create a Vault entity with the required parameters for CyberArk Conjur:

echo '
_format_version: "3.0"
vaults:
  - name: conjur
    description: Storing secrets in Conjur Vault
    prefix: conjur-vault
    config:
      endpoint_url: "${{ env "DECK_CONJUR_ENDPOINT_URL" }}"
      account: "${{ env "DECK_CONJUR_ACCOUNT" }}"
      login: "${{ env "DECK_CONJUR_LOGIN" }}"
      auth_method: api_key
      api_key: "${{ env "DECK_CONJUR_API_KEY" }}"
' | deck gateway apply -

Validate

To validate that the secret was stored correctly in Conjur, you can call a secret from your vault using the kong vault get command within the Data Plane container:

 kong vault get {vault://conjur-vault/BotApp%2FsecretVar}

This assumes your secret was stored in BotApp/secretVar in Conjur.

If the Vault was configured correctly, this command should return the value of the secret. You can use {vault://my-conjur/BotApp%2FsecretVar} to reference the secret in any referenceable field.

Cleanup

Clean up CyberArk Conjur

If you’re using the Conjur Docker quickstart, you can clean up Conjur by deleting the conjur-quickstart Docker compose stack.

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

FAQs

How do I rotate my secrets in CyberArk Conjur and how does Kong Gateway pick up the new secret values?

You can rotate your secret in CyberArk Conjur by creating a new secret version with the updated value. You’ll also want to configure the ttl settings in your Kong Gateway Vault entity so that Kong Gateway pulls the rotated secret periodically.

How are CyberArk Conjur secrets referenced by Kong Gateway?

Because Conjur secrets are organized under policies, when referencing secrets defined in a non-root policy, you must encode the / in the secret reference. For example: {vault://conjur-vault/BotApp%2FsecretVar} is correct, {vault://conjur-vault/BotApp/secretVar} is incorrect.

Can users and hosts be used to authenticate Conjur Vaults?

Yes. If you were authenticating the Dave user, you’d configure "login": "Dave@BotApp" along with the API key for Dave. If you were authenticating the host, you’d use "login": "host/BotApp/myDemoApp" along with the host API key.

Next Steps

Review the Vaults entity
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support