Lesson 6: Grant the workload permissions on secrets
In this lesson, you will learn how to grant your workload read and execute permissions on secrets.
In Conjur Cloud, you define security rules in declarative files, called policies. These security rules describe which users and services have privileges to manage or fetch secrets such as passwords and API keys.
When a Safe syncs from Privilege Cloud to Conjur Cloud, the policy tree structure for the Safe contains a delegation policy and a consumers group:
|
Delegation policy |
Manages permissions on Conjur Cloud users, groups, hosts, and layers:
|
|
Consumers group |
Has read and execute permissions, allowing all group members to fetch all of the Safe's secrets:
|
This task assumes you are logged in to the Conjur Cloud CLI as a Conjur Cloud admin user, and that you have completed:
-
Copy the following policy into a text editor:
- !grant role: !group delegation/consumers member: !host /data/myappThis policy adds your host, myapp, as a member of the Safe's consumers group, which grants the host read and execute permissions on all secrets in the policy branch where you load this policy.
Save the file as grant_permissions.yml.
-
Load the policy to data/vault/secrets-safe:
$
conjur policy load -b data/vault/secrets-safe -f grant_permissions.ymlThe host, myapp, now has permissions on all secrets in secrets-safe.
