Lesson 4: Sync Privilege Cloud Safe to Conjur

In this lesson, you will learn how to sync a Privilege Cloud Safe that contains your secrets to Conjur Cloud.

To perform the steps described in this lesson, you must have permissions to add Safes and accounts in Privilege Cloud.

How it works

When a Safe is synced, each account in that Safe is represented in Conjur by secrets (variables), where one secret is for the account password and the other secrets are for each account property.

Let's say, for example, that your account is called mysecret, and the account contains username, password, and address properties. In this case, when the Safe syncs to Conjur Cloud, three secrets are created in Conjur Cloud, one for each of the properties.

Sync a Safe to Conjur Cloud

Let's create a Safe in Privilege Cloud and sync it to Conjur Cloud.

Step 1: Create a Safe in Privilege Cloud and sync it to Conjur Cloud

  1. Log in to the Privilege Cloud portal.

  2. Add a Safe with a name of your choice, for example, secrets-safe. For details, see Add a Safe.

  3. Add the Conjur Sync user to the list of members of your Safe. For details, see Add Safe members.

    If you don't see the Conjur Sync user in the user's list, make sure Show system component users is turned on.

  4. Grant the user the following permissions:

    Role

    Permissions

    Access
    • Use accounts
    • Retrieve accounts
    • List accounts

    Workflow

    Access Safe without confirmation

Step 2: Create an account in the Safe for your secret

In the Privilege Cloud portal:

  1. Create a new account, for example, mysecret, with username, password, and address properties.

  2. Place the account in the secrets-safe Safe that you created earlier. For details adding accounts to Safes, see Add accounts.

    When the Safe syncs with Conjur Cloud, corresponding variables, or secrets, are created in Conjur Cloud for each account property.

    Conjur Cloud secrets are named using the following format: 

    /data/vault/<safe name>/<account name>/<property name>

    So the following secrets are created in Conjur Cloud when secrets-safe syncs to Conjur Cloud:

    • /data/vault/secrets-safe/mysecret/password

    • /data/vault/secrets-safe/mysecret/username

    • /data/vault/secrets-safe/mysecret/address

It might take a few minutes to sync the account to Conjur Cloud.

Lesson 5: Create an identity for your workload