JWT Policy Automation is a demonstration service that automates onboarding of a Safe into Privilege Cloud, onboarding a credential into that safe and onboarding a Kubernetes JWT annotated host with access through Conjur Cloud.
This repo is a Community level project. It's a community contributed project that is not reviewed or supported by CyberArk. For more detailed information on our certification levels, see our community guidelines.
The below sections describe establishing and setting up resource dependencies in CyberArk Privilege Cloud ISPSS and Kubernetes.
Administrative access to Identity Administration, Privilege Cloud and Conjur Cloud.
It is expected that prior to running the onboarding service, the preparation of the Kubernetes cluster and namespace has been performed in accordance with the documentation.
Using helm, prepare the Kubernetes cluster with Conjur golden config map (being sure to replace any {{ placeholder }} in the below snippet):
helm install "cluster-prep" cyberark/conjur-config-cluster-prep -n "cyberark-conjur" \
--create-namespace \
--set conjur.account="conjur" \
--set conjur.applianceUrl="https://{{ SUBDOMAIN }}.secretsmgr.cyberark.cloud/api" \
--set conjur.certificateBase64=$(cat {{ CA_FILE_PATH }} | base64 -w 0) \
--set authnK8s.authenticatorID="{{ AUTHN_JWT_SERVICE_ID ]}" \
--set authnK8s.clusterRole.create=false \
--set authnK8s.serviceAccount.create=false
Replace values in the above code snippet using the reference table below:
| Placeholder name | Example value | Description |
|---|---|---|
{{ SUBDOMAIN }} |
acme-corp | Subdomain of Conjur Cloud in ISPSS |
{{ CA_FILE_PATH }} |
conjur.pem | Conjur Cloud public certificate |
{{ AUTHN_JWT_SERVICE_ID }} |
shared-eks * |
Some identifier for k8s cluster |
*: In 'Prerequisites: Conjur' section, this is{{ cluster-id }}
References:
A certificate must be issued from a internal Certificate Authority (CA), as well as the signing key for the certifiicate.
Important: Please make the necessary requests for PKI before setting up
The purpose of the certificate is for TLS signing of web server traffic from the intake form of the service
Generate CSR with the following attributes:
| Attribute | Value | Description |
|---|---|---|
| Subject | {{ automation-service-name }} |
DNS entry for onboarding service in Kubernetes |
| SAN | {{ automation-service-name }} |
DNS entry for onboarding service in Kubernetes |
| X509 Extended Key Usage | TLS Web Server Authentication (serverAuth) |
Extended Key usage for Web Server Authentication |
For automation-service-name, choose a name that you'd like to call the onboarding service (i.e., onboarding)
Note: The key will need to be unencrypted prior to importing to PCloud in CyberArk ISPSS
Please Refer to Setup for guided deployment of the service.
To test running the onboarding service, you'll first need to create an application identity.
Navigating to the onboarding service user form, use the following tables for reference:
Safe Information
| Attribute | Value | Description |
|---|---|---|
| Application Identity | postgre |
The CMBD CI Name or Label (Configuration Identifier) |
| Ownership Group | [email protected] |
The group that should have access to the safe |
Credential Information
| Attribute | Value | Description |
|---|---|---|
| Platform | PROD_PostgreSQL * |
Platform used in Onboard |
| Username | psql-adm |
Demo psql service account |
| Password | CyberArk1234## |
Demo password |
| Address | https://some-test.com |
https://some-test.com is a dummy service address for demo purposes |
| Query | postgre |
The developer query for discovery in Conjur |
| Port | 5432 |
5432 is the service port for PSQL; Can change depending on app-specific port dependencies |
| Database | db-test |
some-test web service Database name |
*: This value should match a database platform previously configured and currently enabled in Privilege Cloud
Workload Identity
| Attribute | Value | Description |
|---|---|---|
| Namespace | services |
https://some-test.com is a dummy service address for demo purposes |
| Service Account | k8s-sa |
k8s-sa is the default service account created for the demo purposes |
| Cluster | shared-eks |
shared-eks is the name of the eks cluster authenticator webservice configured and enabled in Conjur Cloud |
Once the form has been filled out like above, select the SUBMIT button at the bottom of the page.
If we're following the logs on the onboarding webservice, we'll see the following trace:
2023/04/18 20:16:57 Successfully built http client.
2023/04/18 20:17:00 {"safeUrlId":"AAM_POSTGRESQL-TEST","safeName":"AAM_POSTGRESQL-TEST","safeNumber":127,"description":"CHG1","location":"\\","creator":{"id":"6067e39a-35a1-4bb0-8e08-83feb1250acd","name":"[email protected]"},"olacEnabled":false,"managingCPM":"","numberOfVersionsRetention":null,"numberOfDaysRetention":0,"autoPurgeEnabled":false,"creationTime":1681849020,"lastModificationTime":1681849014144317}
2023/04/18 20:17:00 {"memberName":"[email protected]","memberType":"User","permissions":{"manageSafe":true,"manageSafeMembers":true,"viewSafeMembers":true,"viewAuditLog":true,"useAccounts":true,"retrieveAccounts":true,"listAccounts":true,"addAccounts":true,"updateAccountContent":true,"updateAccountProperties":true,"renameAccounts":true,"deleteAccounts":true,"unlockAccounts":true}}
2023/04/18 20:17:03 Onboarded Synchronizer.
2023/04/18 20:17:03 Onboarded safe and updated group membership.
2023/04/18 20:17:03 Successfully onboarded credentials into AAM_POSTGRESQL-TEST
2023/04/18 20:17:03 Using authentication strategy api
2023/04/18 20:17:03 Successfully authenticated as host/data/apps/AAM_Automation_Operations to https://sme-andrew.secretsmgr.cyberark.cloud/api
2023/04/18 20:17:03 Sending request [https://sme-andrew.secretsmgr.cyberark.cloud/api/resources/conjur?kind=group&search=AAM_POSTGRESQL-TEST/delegation/consumers&limit=1]
2023/04/18 20:17:03 Safe not found, waiting for replication.. sleeping for 10 seconds..
2023/04/18 20:17:14 Sending request [https://sme-andrew.secretsmgr.cyberark.cloud/api/resources/conjur?kind=group&search=AAM_POSTGRESQL-TEST/delegation/consumers&limit=1]
2023/04/18 20:17:14 Safe not found, waiting for replication.. sleeping for 10 seconds..
2023/04/18 20:17:24 Sending request [https://sme-andrew.secretsmgr.cyberark.cloud/api/resources/conjur?kind=group&search=AAM_POSTGRESQL-TEST/delegation/consumers&limit=1]
2023/04/18 20:17:24 Safe not found, waiting for replication.. sleeping for 10 seconds..
2023/04/18 20:17:34 Sending request [https://sme-andrew.secretsmgr.cyberark.cloud/api/resources/conjur?kind=group&search=AAM_POSTGRESQL-TEST/delegation/consumers&limit=1]
2023/04/18 20:17:34 Safe not found, waiting for replication.. sleeping for 10 seconds..
2023/04/18 20:17:44 Sending request [https://sme-andrew.secretsmgr.cyberark.cloud/api/resources/conjur?kind=group&search=AAM_POSTGRESQL-TEST/delegation/consumers&limit=1]
2023/04/18 20:17:44 Safe not found, waiting for replication.. sleeping for 10 seconds..
2023/04/18 20:17:54 Sending request [https://sme-andrew.secretsmgr.cyberark.cloud/api/resources/conjur?kind=group&search=AAM_POSTGRESQL-TEST/delegation/consumers&limit=1]
...
Once the safe is either found or created, we'll get the following response from our onboarding webservice:
...
2023/04/18 20:17:54 Found Conjur Safe
2023/04/18 20:17:54 Successfully onboarded host to Conjur [201]
2023/04/18 20:17:54 Successfully entitled host to AAM_POSTGRESQL-TEST [201]
2023/04/18 20:17:54 {"created_roles":{},"version":1}
Now, if we return to the /ticket endpoint, and in the event the safe and account have been created and onboarded successfully, we should observe the page automatically redirect to /onboard and provide the following output (i.e., processing request ID and onboarding actions taken) using input values from the example provided above:
Processing Request ID: CHG1
Validated attributes...
Onboarding safe AAM_POSTGRESQL-TEST
Onboarded safe AAM_POSTGRESQL-TEST
Adding credentials to AAM_POSTGRESQL-TEST
Onboarded credentials into AAM_POSTGRESQL-TEST
Checking Conjur safe replication...
Found Conjur Safe
Attempting to create identity
Successfully created identity
Successfully entitled identity
Conversely, if we take a look at the Privileged Cloud platform, we can see the safe was created with the following members:
By now you might ask, "How does this look from Conjur?"
If we change platforms to Conjur Cloud in the top left-hand corner of the page...
We can switch views to our Conjur Cloud instance.
From there, we can click on Resources.
And from the Resources view, we can filter our view on resource type of Workloads.
From here, we can find our service account and its access of resources via its entitlements:
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.
Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
For the full license text see LICENSE.