Integration between Workato and Conjur is based on the host/workload API key authentication.
For Workato to retrieve a secret from your Conjur instance, an API authentication request is first sent to your Conjur server based on the parameters specified when configuring the CyberArk Conjur connector. If the credentials are valid, Conjur responds with a short-lived access token. Workato then uses this access token to retrieve the actual secret value stored in Conjur if the host has the necessary execute and read permissions.
Policies on Conjur are written as .yml files. Visit the CyberArk Conjur documentation for policy best practices (opens new window). The following steps describe how to develop a policy file.
For more information on policy syntax operators, refer to the CyberArk Conjur documentation (opens new window).
Declare a group at the root policy:
- !policy
id: workato-app
body:
- !group workato-secret-users
Declare variables and assign the group [read, execute] permissions.
This example creates the sql-password-prod and sql-host-prod variables which store the password for a SQL database as well as the host name:
- &variables
- !variable
id: sql-password-prod
kind: password
- !variable
id: sql-host-prod
kind: password
- !permit
role: !group /workato-app/workato-secret-users # group declared earlier
privileges: [read, execute]
resources: *variables
Declare the host, a layer, and assign membership of the host into the layer:
- !host workato-us-prod-1
- !layer workato-us-prod
- !grant
role: !layer workato-us-prod
members:
- !host workato-us-prod-1
Grant membership of the layer into the group:
- !grant
role: !group workato-app/workato-secret-users
member: !layer workato-app/ workato-us-prod
Create a new secret on Conjur:
- !variable
id: ddog-api-key
kind: password
Grant execute and read permissions to group on selected variables:
- !permit
role: !group /workato-app/workato-secret-users # layer declared earlier
privileges: [read, execute]
resources: !variable ddog-api-key
Last updated: 7/17/2024, 3:49:18 PM