Secrets in Conjur Cloud

Conjur Cloud provides encrypted, access controlled, and audited management of infrastructure secrets such as database passwords, SSL certificates and keys, SSH keys, and cloud credentials.

Secrets and variables

Secrets are stored in Conjur Cloud in records called variables.

Secrets can be synced directly from Privilege Cloud, or can be created using the Conjur Cloud CLI or REST API.

Each variable has two access-control lists:

List

Description

fetchers

Roles that can fetch the secret

updaters

Roles that can update the secret

Secrets from Privilege Cloud

Conjur Cloud integrates with Privilege Cloud to expand the Privileged Access Management solution to the secrets management space of modern and dynamic environments.

Secrets that are stored and managed in Privilege Cloud can be shared with Conjur Cloud and used, via its CLI, APIs, and client libraries to enhance security and reduce risks for the DevOps environments. Such environments include CI/CD pipelines, containerized applications, and cloud platforms.

The Conjur Cloud - Privilege Cloud integration provides Security, IT, and DevOps teams with a common platform to enforce privileged access security policies on all platforms - on-premises, cloud, and hybrid - to form a consistent, unified enterprise-wide privileged access security program.

The integration provides the following benefits:

  • CyberArk customers who store and manage their secrets in Privilege Cloud can benefit from Conjur Cloud's capabilities to provide secrets in dynamic and ephemeral environments and containers

  • Enables central policy enforcement for DevOps use cases, such as rotation and monitoring

Secrets in Privilege Cloud sync to Conjur Cloud as follows:

  1. Privilege Cloud is deployed with a built in user, Conjur Sync. The Privilege Cloud admin adds the Conjur Sync user as a member of specific Safes that contain secrets required in Conjur Cloud. This user facilitates the syncing of Safes to Conjur Cloud.

  2. Using the Conjur Sync user, Conjur Cloud retrieves the accounts from the Safes it can access. A policy is then generated for these Safes that contain the secrets. The secrets are defined and loaded as variables in Conjur Cloud.

  3. The Conjur Cloud admin creates and loads policy to delegates users and hosts permissions on the variables. For more information, see Grant permissions on secrets.

  4. Every minute, Conjur Cloud connects to Privilege Cloud to retrieve new accounts and Safes, as well as to update values of existing variables.

Ephemeral (dynamic) secrets

Ephemeral secrets are dynamic secrets that are created just-in-time (JIT), on-demand, and exist for a limited period of time. When an ephemeral secret's validity expires, the secret is deleted or becomes obsolete. Ephemeral secrets solve the following issues:

  • Rotation atomicity - Each consumer gets its own ephemeral secret. The secret expires after a certain time so that it doesn't remain valid in the system for long enough to require a rotation. This means that consumers of the secret won't ever use an incorrect version of the secret.

  • Attack surface reduction - Ephemeral secrets are valid for a short period of time and are removed when they are no longer needed. This great reduces the attack surface that attracts hackers.

Ephemeral secrets are issued in Conjur Cloud by a Conjur Cloud issuer. The issuer holds the data related to the target of ephemeral secrets. For example, to issue ephemeral secrets to a certain AWS account, you create an issuer that stores the AWS IAM user credentials.

For more information, see Ephemeral (dynamic) secrets.

How do workloads use Conjur Cloud secrets?

The best way to provide secrets to deployed applications and services is by placing them into the process environment. Secrets are fetched at runtime and injected as environment variables into a process's environment. When the process exits, the secrets are not left on the system.

To facilitate this workflow, we have provided the secrets.yml file, an open standard for tracking secrets in source control. This standard maps environment variable names to paths where secrets reside:

  
AWS_ACCESS_KEY_ID: !var aws/$environment/iam/user/robot/access_key_id
AWS_SECRET_ACCESS_KEY: !var aws/$environment/iam/user/robot/secret_access_key
AWS_REGION: us-east-1
SSL_CERT: !var:file ssl/certs/private

Rotating secrets

Secrets, like passwords, are always susceptible to attack, and the longer a secret remains unchanged, the more vulnerable it becomes. The way to mitigate any risk of compromise is to use a complex secret and to change it often.

Conjur Cloud leverages the Privilege Cloud solution to generate new random passwords and replace existing ones.