Lesson 6: Grant the workload permissions on secrets

In this lesson, you will learn how to grant your workload read and execute permissions on secrets.

In Conjur Cloud, you define security rules in declarative files, called policies. These security rules describe which users and services have privileges to manage or fetch secrets such as passwords and API keys.

When a Safe syncs from Privilege Cloud to Conjur Cloud, the policy tree structure for the Safe contains a delegation policy and a consumers group:

Delegation policy

Manages permissions on Conjur Cloud users, groups, hosts, and layers:


Consumers group

Has read and execute permissions, allowing all group members to fetch all of the Safe's secrets:


To grant permissions on secrets:

This task assumes you are logged in to the Conjur Cloud CLI as a Conjur Cloud admin user, and that you have completed:

  1. Copy the following policy into a text editor:

    - !grant
      role: !group delegation/consumers
      member: !host /data/myapp

    This policy adds your host, myapp, as a member of the Safe's consumers group, which grants the host read and execute permissions on all secrets in the policy branch where you load this policy.

    Save the file as grant_permissions.yml.

  2. Load the policy to data/vault/secrets-safe:

    $ conjur policy load -b data/vault/secrets-safe -f grant_permissions.yml

    The host, myapp, now has permissions on all secrets in secrets-safe.