NOTE: "IT Toolshed" is intended as a front-end for DEMO purposes only.
This repo contains example code as a guide to help with the following scenarios.
- Automating the storage of credentials after a provisioning event. E.g. automating saving of EC2 credentials into PAS Vault after the EC2 instance has been provisioned.
- How to setup Conjur to connect without hard coding credentials in a config file. E.g. Using the Conjur AWS authenticator to fetch credentials from Conjur without storing Conjur user's credentials, rather, this setup will use an AWS Role that Conjur is configured to recognize when a client is authenticating.
To use this solution accelerator, you will need:
- An AWS account
- AWS User -- used for provisioning an EC2 instance
- AWS Role -- used for Conjur AWS Authenticator
- CyberArk PAS Vault created and ready to go
- Safe to store provisioner credentials
- Safe to store the newly created credentials
- CyberArk Conjur Cloud account
- PAS Vault sync enabled
- AWS Authenticator configured and enabled
- Access to a Demo Host -- Optimal demo experience, run this from an EC2 instance
- GO lang compiler, v1.21
- GNU Make, v3.81
- AWS User with permissions to Create Tags, Create Key Pairs, and Create EC2 instances.
- Create AWS Key and Secret credentials to be used for the "Provisioning" of resources. E.g. these creds will be used to provision a new keypair and new ec2 instance.
- Store these credentials in your PAS Vault, and ensure they are synchronized to Conjur.
- ARN for the AWS Role to assign to your EC2 demo host.
- Bind this role to the EC2 instance where you run this demo code from.
- OR
- IF running from NON EC2 host, like a linux or mac machine, then setup the AWS CLI to run as a user that can AssumeRole to the role created above.
- Create a safe for storing the Provider credentials. The AWS Key and Secret created above in step 1 should be stored here. These creds will be synchronized to Conjur and read from Conjur.
- Safe Name -- Create a safe for storing the new resource's account information. This safe will be where the new EC2 instance creds will be stored. Only the safe needs to be created, and the credentials to access the safe will be entered in the toolshed UI. This simulates the developer requesting the resource to be created, and then the developer enters their safe's credentials.
-
Create an AWS User with permissions associated to Conjur for "authn-iam" connector
- Create Access Key and Secret for this user
- Store these credentials in your PAS Vault safe
-
Install Conjur IAM Authenticator
- See the
./etcdirectory for example setup. - See the
load-policies.shscript for an example of how to load the policies. - Conjur CLI install instructions can be found on the CyberArk Conjur CLI page.
- (Optional)
./etc/iam-check.pyscript can help with troubleshooting the Conjur AWS Authenticator configuration.
- See the
-
Enable PAS Vault sync
IMPORTANT - Please read and configure the resources as specified in the Prerequisites section before proceding with the demo.
It is recommended to run this demo from an EC2 instance. This demo can be run from linux/mac machine with extra setup.
This section will describe the contents of the fields for each of the configuration files.
Copy the example config file, ./cmd/provengine/pasconfig-example.toml with name ./cmd/provengine/pasconfig.toml
Here is what the example looks like.
[pasvault]
# Cloud Identity Portal (ID Tenant where the user is managed)
idtenanturl = "https://IDENTITY_TENANT_ID.id.cyberark.cloud"
# Safe owner/user must enter PAS Vault user/pass in Toolshed UI
# Privilege Cloud (Where the Vault-safe is located)
pcloudurl = "https://example-demo-toolshed.privilegecloud.cyberark.cloud"
safename = "toolshed-safe1"| Field Name | Description | Required For Scenario 1 | Required For Scenario 2 |
|---|---|---|---|
| idtenanturl | Cloud Identity Portal (ID Tenant where the user is managed) | YES | YES |
| pcloudurl | This is the base url to your PAS instance; no trailing slash | YES | YES |
| safename | This is the name of the PAS Vault safe that you created as part of the pre-requisites. NOTE: This is where the NEW EC2 creds will be stored. | YES | YES |
Copy the example config file, ./cmd/provengine/awsconfig-example.toml with name ./cmd/provengine/awsconfig.toml
NOTE: For "Scenario 1" -- Fill out all of these fields, and leave Conjur config file empty.
NOTE: For "Scenario 2" -- ONLY fill out the region field, and completely fill out the conjur config.
Here is what the example looks like.
[awsprovider]
# REQUIRED
# Set this to your Target Region where you will provision your EC2 instance
region = "us-west-2"
# FOR Demo "Scenario 1 - Hard Code Credentials"
# -- Fill-in the AWS Key/Secret fields here
#
# FOR Demo "Scenario 2 - Conjur AWS Authenticator"
# -- Leave these fields empty strings
# (in other words, leave these empty if using Conjur to fetch
# the AWS Provider creds)
# For more details, see README.md: "-Required- AWS Account And Demo Host Setup"
accesskey = ""
accesssecret = ""| Field Name | Description | Required For Scenario 1 | Required For Scenario 2 |
|---|---|---|---|
| region | AWS Region where the NEW EC2 instance will be provisioned | YES | YES |
| accesskey | AWS User's access key | YES | NO (Keep empty) |
| accesssecret | AWS User's access secret | YES | NO (Keep empty) |
Copy the example config file, ./cmd/provengine/conjurconfig-example.toml with name ./cmd/provengine/conjurconfig.toml
NOTE: For "Scenario 1" -- Leave Conjur config file empty.
NOTE: For "Scenario 2" -- Completely fill out the Conjur config file.
Here is what the example looks like.
[conjur]
apiurl = "https://conjurserver.example.com/api"
account = "conjur"
# Conjur Cloud -- Resources -> Workloads (or Host) ID
# Find the workload (or host) ID for your resource.
# Prepend the string literal "host/" to form the identity.
#
# Example: For host/workload ID "data/toolshed/12345678/toolshed"
# The identity value will be "host/data/toolshed/12345678/toolshed"
identity = ""
# Identifier for the Conjur AWS authenticator that is setup for this demo
authenticator = "authn-iam/APPNAME"
# Conjur Region -- used for authn-iam (Region where Conjur is running)
awsregion = "us-east-1"
# AWS key/secret used to authenticate to Conjur for authn-iam
#
# If running this demo from an EC2 instance, the role assigned
# to the EC2 instance will be used.
# OR
# If running from linux/mac, then the credentials from your
# AWS User should be placed here. This user will need permissions
# to assume the role in the `assumerolearn` setting.
awsaccesskey = ""
awsaccesssecret = ""
# REQUIRED: Assume role arn is the role that was used when setting up
# the Conjur AWS authenticator
awsassumerolearn = "arn:aws:iam::12345678:role/toolshed"
# Conjur path to AWS key/secret used to provision resources
awsprovideraccesskeypath = "data/vault/PATH/TO/THE/AWSProviderAccessKey"
awsprovideraccesssecretpath = "data/vault/PATH/TO/THE/AWSProviderAccessSecret"| Field Name | Description | Required For Scenario 1 | Required For Scenario 2 |
|---|---|---|---|
| apiurl | Conjur API endpoint | NO | YES |
| account | Conjur Account | NO | YES |
| identity | Conjur Identity associated to the user (footnote 1) | NO | YES |
| authenticator | Conjur Authenticator, prefix with "authn-iam/" and append the Authenticator "Service ID" (footnote 2) | NO | YES |
| awsregion | Conjur AWS Region -- which AWS region is running Conjur (this can be different from the provider AWS region) | NO | YES |
| awsaccesskey | AWS User's access key -- used to assumerole | NO | Only when running from a non EC2 host |
| awsaccesssecret | AWS User's access secret -- used to assumerole | NO | Only when running from a non EC2 host |
| awsprovideraccesskeypath | Conjur Resources, Secrets "ID" where the Provider AWS Access Key is stored (see footnote 3) | NO | YES |
| awsprovideraccesssecretpath | Conjur Resources, Secrets "ID" where the Provider AWS Access Secret is stored (see footnote 3) | NO | YES |
Provider credentials have permissions to create, modify and delete resources at the provider. For this demo, AWS is the provider. This scenario is used to contrast with Scenario 2 so that one can see the differences between the two.
This scenario demonstrates the separation of concerns by using 2 sets of AWS credentials, one set of credentials is used to authenticate to Conjur Cloud, and the other set of credentials is used to provision resources in AWS.
There are 2 apps that comprise this demo, the "ITSM App" and the "Provision Engine." The "ITSM App" provides an intake form for an application developer to make a request for a resource. The "Provision Engine" will accept the request, call the Provider to request resources to be created, and then store the new resource information in the PAS Vault safe.
Under cmd/toolshed is the app that provides a web server app to provide the intake form and forward the request to the provision engine.
Under cmd/provengine is the app that will either use the Provider creds from a file (Scenario 1), or, it will call on Conjur Cloud and fetch the provider credentials from there.
The following reference diagram illustrates a high-level process flow whereby a resource is requested, provisioned, and access details are returned to the requestor.
This diagram illustrates how the toolshed app and the provengine app work together.
Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
For the full license text see LICENSE.
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.
