cyberark.conjur.conjur_variable lookup – Fetch credentials from CyberArk Conjur.
Note
This lookup plugin is part of the cyberark.conjur collection (version 1.3.12).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cyberark.conjur.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: cyberark.conjur.conjur_variable.
New in cyberark.conjur 1.0.2
Synopsis
Retrieves credentials from Conjur using the controlling host’s Conjur identity, environment variables, or extra-vars. Environment variables could be CONJUR_ACCOUNT, CONJUR_APPLIANCE_URL, CONJUR_CERT_FILE, CONJUR_CERT_CONTENT, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY, CONJUR_AUTHN_JWT_TOKEN, CONJUR_AUTHN_TOKEN_FILE, CONJUR_AUTHN_TYPE, CONJUR_AUTHN_SERVICE_ID, AZURE_CLIENT_ID Extra-vars could be conjur_account, conjur_appliance_url, conjur_cert_file, conjur_cert_content, conjur_authn_login, conjur_authn_jwt_token, conjur_authn_api_key, conjur_authn_token_file, conjur_authn_type, conjur_authn_service_id, azure_client_id Conjur info - https://www.conjur.org/.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
The controlling host running Ansible has a Conjur identity. (More: https://docs.conjur.org/latest/en/Content/Get%20Started/key_concepts/machine_identity.html)
Terms
Parameter |
Comments |
|---|---|
Variable path to retrieve from Conjur. IMPORTANT: Do NOT URL-encode this path. The plugin handles encoding automatically. For paths with spaces, use: ‘/path/to/secret with spaces’ NOT: ‘/path/to/secret+with+spaces’ or ‘/path/to/secret%20with%20spaces’ |
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following
examples: lookup('cyberark.conjur.conjur_variable', key1=value1, key2=value2, ...) and query('cyberark.conjur.conjur_variable', key1=value1, key2=value2, ...)
Parameter |
Comments |
|---|---|
Store lookup result in a temporary file and returns the file path. Thus allowing it to be consumed as an ansible file parameter (eg ansible_ssh_private_key_file). Choices:
|
|
Client id for azure user-assigned managed identity Configuration:
|
|
Path to the Conjur configuration file. The configuration file is a YAML file. Default: Configuration:
|
|
Conjur account Configuration:
|
|
Conjur appliance url Configuration:
|
|
Conjur authn api key Configuration:
|
|
Host resolution mode for authn-cert authentication. Valid values are ‘request’ (default) and ‘spiffe’. In ‘request’ mode the workload identity (conjur_authn_login) must be provided and is included in the authentication URL. In ‘spiffe’ mode the workload identity is derived from the X.509 SVID SPIFFE URI embedded in the client certificate and conjur_authn_login is not required. Default: Configuration:
|
|
Identity resolution mode for authn-jwt authentication. Valid values are ‘url’ (default) and ‘token-app-property’. In ‘url’ mode the workload identity (conjur_authn_login) is included in the authentication URL path. CyberArk documentation states this mode should not be used in production environments. In ‘token-app-property’ mode the workload identity is derived solely from a claim inside the JWT token as configured by the token-app-property annotation in the Conjur policy; conjur_authn_login is not required. Default: Configuration:
|
|
Conjur authn-jwt token Configuration:
|
|
Path to a file containing the JWT token used for authn-jwt authentication. The file must be readable only by the owner (permissions 0600 or stricter). Takes precedence over conjur_authn_jwt_token when both are set. The file is not deleted by the plugin after use. Configuration:
|
|
Conjur authn login Configuration:
|
|
Service ID for cloud-based authenticators Configuration:
|
|
Path to the access token file Configuration:
|
|
Type of Conjur authenticator Configuration:
|
|
Content of the Conjur cert Configuration:
|
|
Path to the Conjur cert file Configuration:
|
|
Path to the client certificate file (PEM format) used for authn-cert mutual TLS authentication. Required when conjur_authn_type is set to ‘authn-cert’. The certificate must be signed by the CA configured for the authn-cert service in Conjur. Configuration:
|
|
Path to the client private key file (PEM format) used for authn-cert mutual TLS authentication. Required when conjur_authn_type is set to ‘authn-cert’. Configuration:
|
|
Path to the Conjur identity file. The identity file follows the netrc file format convention. Default: Configuration:
|
|
Time in seconds to wait between retry attempts (default 10) Default: Configuration:
|
|
Flag to control SSL certificate validation Choices:
|
Note
Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
lookup('cyberark.conjur.conjur_variable', term1, term2, key1=value1, key2=value2)andquery('cyberark.conjur.conjur_variable', term1, term2, key1=value1, key2=value2)
Examples
---
- hosts: localhost
collections:
- cyberark.conjur
tasks:
- name: Lookup variable in Conjur
debug:
msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}"
Return Value
Key |
Description |
|---|---|
Value stored in Conjur. Returned: success |