Enable Authenticators for Applications

The following topic describes how to enable authenticators for application deployment.


Define and upload the following policies:

Initialize the CA

The DAP uses policy to allowlist the applications that have access to the Kubernetes authenticator and store the values necessary to create client certificates for mutual TLS. The authenticator service policy should include: declares variables to hold a CA certificate and key. After loading the policy, run the following commands to initialize those resources.

To initialize the CA, run the following script:

set -e

# Generate OpenSSL private key
openssl genrsa -out ca.key 2048

[ req ]
distinguished_name = dn
x509_extensions = v3_ca
[ dn ]
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always

# Generate root CA certificate
openssl req -x509 -new -nodes -key ca.key -sha1 -days 3650 -set_serial 0x0 -out ca.cert \
  -subj "/CN=conjur.authn-k8s.$AUTHENTICATOR_ID/OU=Conjur Kubernetes CA/O=$CONJUR_ACCOUNT" \
  -config <(echo "$CONFIG")

# Verify cert
openssl x509 -in ca.cert -text -noout

# Load variable values
conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/key "$(cat ca.key)"
conjur variable values add conjur/authn-k8s/$AUTHENTICATOR_ID/ca/cert "$(cat ca.cert)"

These commands create a private key and root certificate and store contents of those files in the variables conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/key and conjur/authn-k8s/<AUTHENTICATOR_ID>/ca/cert.

Login or auth calls to the webservice will fail if these resources are not properly defined in policy and initialized.

Configure Conjur authenticators


The deployment scripts for DAP already performed this step using the value you set in the SERVICE_ID environment variable. You need to be aware of this step to add additional application clusters or additional authenticator types.

The CONJUR_AUTHENTICATORS environment variable in the DAP deployment YAML file defines the authentication types used to authenticate with the DAP cluster.


This variable is set on followers.

To enable Kubernetes authentication, use:


where AUTHENTICATOR_ID is the id assigned to the authn-k8s webservice in DAP policy. It is important that the AUTHENTICATOR_ID used here match the webservice id declared in the Kubernetes policy.

For example, in this snippet from the Conjur webservice policy, a policy branch named conjur declares the authn-k8s service with the authenticator_id of prod:

- !policy
  id: conjur/authn-k8s/prod

The authentication value is:


One authn-k8s service can serve multiple application authenticator ids. Additional DAP policy for hosts and applications will control which namespaces get access to DAP and which applications get access to specific secrets. There should be a separate authn-k8s policy (and corresponding authenticator id) for each or Kubernetes cluster.

CONJUR_AUTHENTICATORS can include more than one authenticator and more than one authentication type as a comma-separated list. For example, the following shows two authn-k8s services and another unrelated authenticator:


To disable an authenticator, remove it from the list.