cyberark.conjur.conjur_variable lookup – Fetch credentials from CyberArk Conjur.

Note

This lookup plugin is part of the cyberark.conjur collection (version 1.3.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cyberark.conjur. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: cyberark.conjur.conjur_variable.

New in cyberark.conjur 1.0.2

Synopsis

  • Retrieves credentials from Conjur using the controlling host’s Conjur identity, environment variables, or extra-vars. Environment variables could be CONJUR_ACCOUNT, CONJUR_APPLIANCE_URL, CONJUR_CERT_FILE, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY, CONJUR_AUTHN_TOKEN_FILE Extra-vars could be conjur_account, conjur_appliance_url, conjur_cert_file, conjur_authn_login, conjur_authn_api_key, conjur_authn_token_file Conjur info - https://www.conjur.org/.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

Terms

Parameter

Comments

Terms

string / required

Variable path

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('cyberark.conjur.conjur_variable', key1=value1, key2=value2, ...) and query('cyberark.conjur.conjur_variable', key1=value1, key2=value2, ...)

Parameter

Comments

as_file

boolean

Store lookup result in a temporary file and returns the file path. Thus allowing it to be consumed as an ansible file parameter (eg ansible_ssh_private_key_file).

Choices:

  • false ← (default)

  • true

config_file

path

Path to the Conjur configuration file. The configuration file is a YAML file.

Default: "/etc/conjur.conf"

Configuration:

  • INI entry:

    [conjur,]
    config_file_path = /etc/conjur.conf
    
  • Environment variable: CONJUR_CONFIG_FILE

conjur_account

string

Conjur account

Configuration:

  • INI entry:

    [conjur,]
    account = VALUE
    
  • Environment variable: CONJUR_ACCOUNT

  • Variable: conjur_account

conjur_appliance_url

string

Conjur appliance url

Configuration:

  • INI entry:

    [conjur,]
    appliance_url = VALUE
    
  • Environment variable: CONJUR_APPLIANCE_URL

  • Variable: conjur_appliance_url

conjur_authn_api_key

string

Conjur authn api key

Configuration:

  • INI entry:

    [conjur,]
    authn_api_key = VALUE
    
  • Environment variable: CONJUR_AUTHN_API_KEY

  • Variable: conjur_authn_api_key

conjur_authn_login

string

Conjur authn login

Configuration:

  • INI entry:

    [conjur,]
    authn_login = VALUE
    
  • Environment variable: CONJUR_AUTHN_LOGIN

  • Variable: conjur_authn_login

conjur_authn_token_file

path

Path to the access token file

Configuration:

  • INI entry:

    [conjur,]
    authn_token_file = VALUE
    
  • Environment variable: CONJUR_AUTHN_TOKEN_FILE

  • Variable: conjur_authn_token_file

conjur_cert_file

path

Path to the Conjur cert file

Configuration:

  • INI entry:

    [conjur,]
    cert_file = VALUE
    
  • Environment variable: CONJUR_CERT_FILE

  • Variable: conjur_cert_file

identity_file

path

Path to the Conjur identity file. The identity file follows the netrc file format convention.

Default: "/etc/conjur.identity"

Configuration:

  • INI entry:

    [conjur,]
    identity_file_path = /etc/conjur.identity
    
  • Environment variable: CONJUR_IDENTITY_FILE

validate_certs

boolean

Flag to control SSL certificate validation

Choices:

  • false

  • true ← (default)

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: lookup('cyberark.conjur.conjur_variable', term1, term2, key1=value1, key2=value2) and query('cyberark.conjur.conjur_variable', term1, term2, key1=value1, key2=value2)

Examples

---
  - hosts: localhost
    collections:
      - cyberark.conjur
    tasks:
      - name: Lookup variable in Conjur
        debug:
          msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}"

Return Value

Key

Description

Return value

string

Value stored in Conjur.

Returned: success

Authors

  • CyberArk BizDev (@cyberark-bizdev)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.