Integration between Workato and Conjur is based on the host/workload API key authentication.

For Workato to retrieve a secret from your Conjur instance, an API authentication request is first sent to your Conjur server based on the parameters specified when configuring the CyberArk Conjur connector. If the credentials are valid, Conjur responds with a short-lived access token. Workato then uses this access token to retrieve the actual secret value stored in Conjur if the host has the necessary execute and read permissions.

Policies on Conjur are written as .yml files. Visit the CyberArk Conjur documentation for policy best practices (opens new window). The following steps describe how to develop a policy file.

For more information on policy syntax operators, refer to the CyberArk Conjur documentation (opens new window).

1

Declare a group at the root policy:

- !policy
  id: workato-app
  body:
    - !group workato-secret-users
2

Declare variables and assign the group [read, execute] permissions.

This example creates the sql-password-prod and sql-host-prod variables which store the password for a SQL database as well as the host name:

- &variables
  - !variable
    id: sql-password-prod
    kind: password
  - !variable
    id: sql-host-prod
    kind: password
- !permit
  role: !group /workato-app/workato-secret-users       # group declared earlier
  privileges: [read, execute]
  resources: *variables
3

Declare the host, a layer, and assign membership of the host into the layer:

- !host workato-us-prod-1
- !layer workato-us-prod
- !grant
     role: !layer workato-us-prod
     members:
        - !host workato-us-prod-1
4

Grant membership of the layer into the group:

- !grant
  role: !group workato-app/workato-secret-users
  member: !layer workato-app/ workato-us-prod
5

Create a new secret on Conjur:

- !variable
  id: ddog-api-key
  kind: password
6

Grant execute and read permissions to group on selected variables:

- !permit
  role: !group /workato-app/workato-secret-users     # layer declared earlier
  privileges: [read, execute]
  resources: !variable ddog-api-key


Last updated: 7/17/2024, 3:49:18 PM