search

cyberark / conjur-puppet

Official Puppet module for CyberArk Conjur
https://forge.puppet.com/cyberark/conjur
Apache License 2.0
6 stars 3 forks source link

Add information on how the tokens and configuration is handled to the documentation #7

Closed dividedmind closed 6 years ago

dividedmind commented 7 years ago

ok, so here is how:

  • there is a custom fact which runs on the node. if the node is preconfigured with Conjur settings, it sends that data to the master and they're used as defaults.
  • if additionally the host has a Conjur identity pre-configured (e.g.. API key in /etc/conjur.identity), it uses that to authenticate to Conjur. it gets back the standard 8-minute Conjur bearer token. that already limits the exposure, but facts are meant to be for public metadata about the host, not for secrets. so before sticking the token into the fact, it encrypts it using puppet master's public TLS key.
  • the master, when instantiating conjur class, looks at the fact and takes all defaults from there. If there is an encrypted token there as well, it decrypts it using its own private key and uses that to authenticate with Conjur whenever it wants to fetch a secret.
dustinmm80 commented 6 years ago

@dividedmind would you mind making a PR to add this to the README in the appropriate place?

dividedmind commented 6 years ago

Ok, will do :)