Lesson 7: Authenticate your workload

All workloads that need to access Conjur Cloud require authentication, whether the workload is attempting to access Conjur Cloud using a CLI request or automated requests from hosts using the REST API.

In this lesson, you will learn about:

  • The authentication flow

  • How to set up your workload send an authenticate request to Conjur Cloud using Conjur Cloud's Default Authenticator, and receive a Conjur Cloud access token

Authentication flow

Authentication to Conjur Cloud is based on a workload's identifying parameters, that is, credentials or underlying workload parameters and Conjur Cloud's ephemeral (short-lived) access tokens.

After the host presents its identifying parameters, a Conjur Cloud access token is returned in response. This access token is required for all subsequent API requests.

Conjur Cloud access tokens are cryptographically signed (RSA 2048) and expire after eight minutes.

Successful access to Conjur Cloud involves the following steps:

  1. The workload presents credentials (workload identity (host id) and API key) to prove identity.

    In ephemeral workload environments, the Conjur Host Factory service can auto-generate these credentials.

  2. If Conjur Cloud verifies the credentials, it returns a short-lived access token.

  3. The workload presents the unexpired access token along with each request to access Conjur Cloud. A cached login simplifies this step in the background for CLI access. For API access, when the token expires, the workload must re-authenticate to get a new token.

    A request must comply with Conjur RBAC authorization rules as recorded in policy. Access privileges to specific resources (secrets, for example) are granted using permit statements in policy.

For more information about Conjur Cloud authentication and supported Conjur authenticators, see Authenticate workloads.

Authenticate using authn

In this lesson you will use Conjur Cloud's Default Authenticator to authenticate your workload, myapp, to Conjur Cloud using a RESTful request, and receive an access token.

The Default Authenticator uses the API key that you received when you created the myapp workload identity (host) in a previous lesson

To authenticate your workload to Conjur Cloud, run the following command, replacing demo-subdomain with your tenant's name:

curl --header "Accept-Encoding: base64" --data apiKeyGoesHere https://demo-subdomain.secretsmgr.cyberark.cloud/api/authn/conjur/host%2Fdata%2Fmyapp/authenticate

An access token is returned.

The access token is valid for only 8 minutes, so make sure to perform the next step, Lesson 8: Fetch a secret, within 8 minutes from receiving the token.

For more information about authenticating using the Default Authenticator, authn, see: