# CyberArk Conjur {% hint style="info" %} This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). {% endhint %} ### Overview Conjur is a secrets management platform that integrates with popular tools to provide data encryption, identity-based authorizations for humans and machines, and role-based access control for secrets like passwords, SSH keys, and web services. This guide walks you through the steps to integrate Conjur with StrongDM. Secret store integrations allow you to use your existing third-party secret stores with StrongDM. Your credentials are saved in a tool you control. Those credentials are never transmitted to StrongDM in any form. To learn more about secret store integrations and their usage, read the [Secret Stores Reference](/admin/access/secret-stores.md). ### Prerequisites The following items are required to successfully integrate Conjur with StrongDM: * You must be an account administrator in StrongDM. * You should have a healthy gateway or relay to allow authentication with the secret store. * You have access to install the [self-hosted Conjur software](https://www.conjur.org/get-started/quick-start/oss-environment/) in your Conjur instance. * The official Conjur containers are available on [DockerHub](https://hub.docker.com/r/cyberark/conjur/). * For AWS deployments, see the [Conjur Amazon Machine Image (AMI)](https://docs.cyberark.com/conjur-enterprise/latest/en/Content/Deployment/DAP/dap-before-deploy-aws.htm) documentation. * For Kubernetes deployments using Helm, see the [Conjur OSS Helm Chart](https://github.com/cyberark/conjur-oss-helm-chart) repository. ### Configure Conjure Complete these steps to configure your Conjur instance and to set up your integrations with StrongDM: 1. [Install Conjure](#step-1-install-your-environment), set up an account, and initialize an admin user. 2. [Define a policy](#step-2-define-a-policy) that determines your Conjur entities and describes relationships between them. An entity can be a policy, a host, an application (such as StrongDM), a user, a layer, a group, or a variable. 3. [Add secret stores](#step-3-store-a-secret) for specific applications, such as StrongDM, to be able to authenticate to Conjur. #### Step 1: Install your environment For help setting up your Conjur environment, follow [Conjur's Quick Start](https://www.conjur.org/get-started/quick-start/oss-environment/) guide or check the [conjur-quickstart](https://github.com/cyberark/conjur-quickstart) repository. During this setup, you can use Docker to install and start Conjur, generate a master key to encrypt the database, and create an admin account for your Conjur instance. #### Step 2: Define a policy After you set up your Conjur environment, [define a policy](https://www.conjur.org/get-started/quick-start/define-policy/) that determines what users or applications have access to certain credentials. For example, when creating your StrongDM resources, you can define a Postgres policy similar to the following sample YAML file. To learn more about policy statements, read the [Conjur Policy](https://docs.cyberark.com/conjur-open-source/Latest/en/Content/Operations/Policy/statement-ref-policy.htm) documentation. ```yaml - !policy id: Postgres body: # Define a non-human identity that represents an application, as well as username/password secrets - !host StrongDM - !variable dbUser - !variable dbPass - !permit # Give permissions to the non-human identity to read, update, and fetch the password role: !host StrongDM privileges: [read, update, execute] resource: !variable dbPass - !permit # Give permissions to the non-human identity to read, update, and fetch the username role: !host StrongDM privileges: [read, update, execute] resource: !variable dbUser ``` When you submit the policy, Conjur generates API keys and stores them in the location you specified. You receive a JSON response containing information about created roles, such as account IDs, API keys, and other metadata. In our example, the policy defines an API key for an application like StrongDM. Use the generated API keys to [configure your gateway or relay](#configure-your-gateway-or-relay) and to authenticate the application to Conjur. ```json Loaded policy 'root' { "created_roles": { "myConjurAccount:host:Postgres/StrongDM": { "id": "myConjurAccount:host:Postgres/StrongDM", "api_key": "30vdp11zbq1622anzsea2aws45d3kzmtfy1jxg2y4jdy078fvb0a1" } }, "version": 1 } ``` #### Step 3: Store a secret Once you define a policy, [generate and store values](https://www.conjur.org/get-started/quick-start/store-secret/) for your application's secrets. This action gives your application access to Conjur. In the following steps, we continue with the sample policy defined earlier. 1. Log in to your Conjur instance with the API key for your host account. Make sure to replace the colon with `/`: ```shell docker-compose exec client conjur authn login -u host/Postgres/StrongDM ``` 2. Generate a 12-hex character value and store it in a variable: ```shell secretVal=$(openssl rand -hex 12 | tr -d '\r\n') ``` 3. Store secret values for the `dbUser` and `dbPass` variables in our sample policy. For `dbUser`, add the value of the username instead of a random value: ```shell docker-compose exec client conjur variable values add Postgres/dbUser ``` Then set a policy predefined variable named `Postgres/dbPass` with a randomly generated secret: ```shell docker-compose exec client conjur variable values add Postgres/dbPass ${secretVal} ``` Paths to these credentials provide values when [connnecting a StrongDM resource](#connect-to-a-strongdm-resource) to work with Conjur. In our example, we can later set the **Username (path)** value to `Postgres/dbUser` and the **Password (path)** value to `Postgres/dbPass`. For more information about storing secrets in variables, see the [Store a Secret in Conjur](https://www.conjur.org/get-started/quick-start/store-secret/) reference. ### Configure Your Gateway or Relay To allow communication with your Conjur instance, StrongDM needs to know what credentials to use. For this information, refer to the JSON response you received when [defining your Conjur policy](#step-2-define-a-policy). ```json Loaded policy 'root' { "created_roles": { "myConjurAccount:host:Postgres/StrongDM": { "id": "myConjurAccount:host:Postgres/StrongDM", "api_key": "30vdp11zbq1622anzsea2aws45d3kzmtfy1jxg2y4jdy078fvb0a1" } }, "version": 1 } ``` Use this metadata to configure your gateway or relay environment. Add the following properties as environment variables on your relay or gateway. | Property | Description | | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | `CONJUR_ACCOUNT` | The Conjur account the secrets are registered to (for example, `myConjurAccount` in our JSON sample) | | `CONJUR_AUTHN_LOGIN` | The individual role accessing this secret (for example, `host/Postgres/StrongDM` in our JSON sample); note that the colon is replaced with `/` | | `CONJUR_AUTHN_API_KEY` | The API key for the given username (for example, `30vdp11zbq1622anzs...` in our JSON sample) | ### Create the Secret Store in StrongDM After completing the steps in the previous sections, create the Conjur secret store in the StrongDM Admin UI. 1. Log in to the StrongDM Admin UI. 2. Go to **Settings** > **Secrets Management** and to the **Secret Stores** tab. 3. Click **Add secret store**. 4. Add a **Name** and select **CyberArk Conjur** from the **Type** dropdown. Both fields are required. 5. When the **Application URL** field appears, add the root URL for your Conjur instance. This value serves as the base URL for the **Username (path)** and **Password (path)** fields when you connect a resource. ![](/files/ybPhLF8BjtTtoNwCgTew) 6. Click **Create secret store** to save. If you have configured the relay or gateway server correctly for Conjur secret store access and authorization, you can see the green online indicator. ### Connect to a StrongDM Resource You can now use the CyberArk Conjur secret store when connecting to different StrongDM resources. 1. From the Admin UI, go to **Resources** > **Managed Resources**. 2. Click **Add Resource**. 3. Enter the different properties for your database resource. 4. From the **Secret Store** drop-down, select the Conjur secret store option you created in the [previous section](#create-the-secret-store-in-strongdm). 5. In the **Username (path)** field, add the path to [retrieve the username](#step-3-store-a-secret) and authenticate the application with Conjur. In our example, the path is `Postgres/dbUser`. 6. In the **Password (path)** field, add the path to [retrieve the password](#step-3-store-a-secret) and authenticate the application with Conjur. In our example, the path is `Postgres/dbPass`. 7. When all required fields are complete, click **Create**. When the resource is ready, the **Health** icon indicates a positive, green status. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/access/secret-stores/cyberark-conjur.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.