Closed jodyhuntatx closed 6 years ago
It appears to me that this is simply for the lack of handling of the default /etc/conjur.identity
path at https://github.com/cyberark/conjur-api-go/blob/3913dfda8820d6e625209c24b8d91156ba1e942d/conjurapi/client.go#L89 -- an issue should be filed there.
Neither the Ruby CLI nor the Go API read /etc/conjur.identity
by default. Both will honor a netrc_path
setting in the config. (When you conjurize a machine, it adds the entry "netrc_path": "/etc/conjur.identity"
to /etc/conjur.conf
.) Currently, the Go API doesn't read ~/.netrc
by default.
The /etc/conjur.conf
above doesn't contain an entry for netrc_path
. However, the conjur auth login
step updates ~/.netrc
. This causes the subsequent conjur variable list
to succeed because it uses the new entry in ~/.netrc
. If conjur variable list
was attempted after ~/.netrc
was removed, it would have failed, just like summon did.
CONJUR.CONF file contents
jenkins@936ec69a14e6:/demo$ cat /etc/conjur.conf
appliance_url: https://conjur_master/api account: dev cert_file: "/etc/conjur-dev.pem" plugins: []
CERT contents (elided)
jenkins@936ec69a14e6:/demo$ cat /etc/conjur-dev.pem
-----BEGIN CERTIFICATE----- MIIDPzCCAiegAwIBAgIVAPY+cK34D5EBbNVdJO1BYPfA2ixrMA0GCSqGSIb3DQEB ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDgzCCAmugAwIBAgIJAM85CGdoWoIeMA0GCSqGSIb3DQEBCwUAMDoxDDAKBgNV ... -----END CERTIFICATE-----
IDENTITY file contents
jenkins@936ec69a14e6:/demo$ cat /etc/conjur.identity
machine https://conjur_master/api/authn login host/jenkins/master password 1gshgcc423yqs10cw3mj2pkp98d2qjnx0e1ejm43e1jpdd4y16tfeh4
LOGIN as host
jenkins@936ec69a14e6:/demo$ conjur authn login -u host/jenkins/master \
IDENTITY is functional
jenkins@936ec69a14e6:/demo$ conjur variable list -i
[ "dev:variable:secrets/db_password", "dev:variable:secrets/db_username" ]
NO AUTHN environment variables
jjenkins@936ec69a14e6:/demo$ env | grep CONJUR
CONJUR_MAJOR_VERSION=4
NO .netrc file
jenkins@936ec69a14e6:/demo$ rm ~/.netrc
NOT logged in
jenkins@936ec69a14e6:/demo$ conjur authn whoami
error: Not logged in.
summon-conjur ignores /etc/conjur* files
jenkins@936ec69a14e6:/demo$ summon -e prod ./secrets_echo.sh
Error fetching variable DB_UNAME: exit status 1: Environment variables and machine identity files satisfying at least one authentication strategy must be present!