Manage Conjur configuration

A configuration file is available that allows you to configure select Conjur features. Once defined, settings can be applied across single or multiple nodes, simplifying initial configuration, reducing the opportunity for errors, and allowing for updates to configuration settings as needed.

We recommend maintaining this file outside of your Docker container, so it can be more easily managed on each Conjur node. This avoids the need to modify configuration inside the Conjur container itself and also simplifies upgrades.

The configuration file can be shared across Conjur nodes by storing it in a central repository, such as GitHub, and distributing it via automated configuration management tools, such as Ansible. This allows you to feed configuration as part of your automation pipeline.

Supported configurations

The following features can be configured using the conjur.yml file:



For more information, see:

Allowlist authenticators

Create a list of allowed authenticators.

Configure authentication

Configure trusted proxies Configure trusted proxies by adding a list of proxies and IPs/subnet masks.

Configure trusted proxies


Support for additional features will be added in future releases.

Configuration overview

This section provides an overview of the configuration file and describes how to implement Conjur configuration into your environment.

Configuration file location

When running evoke configure <role> inside a Conjur node container, a configuration file named conjur.yml is created if one doesn't already exist. It can be found in the /etc/conjur/config directory inside the container. The file is empty and ready for you to add configuration settings. Before using the configuration file, make sure to follow the recommendations in Prepare Conjur environment for Docker or Podman deployment.

Add configuration settings to the file

The next step is to add system configuration to the file. The following sample conjur.yml:

  • Allowlists three authn-k8s authenticators and the default Conjur authenticator

  • Defines three trusted proxies

#List of authenticators enabled for this node
  - authn-k8s/cluster1
  - authn-k8s/cluster2
  - authn-k8s/cluster3
  - authn

If a setting is defined more than once in the same configuration file, only the final instance of that setting is regarded; earlier settings and their values are disregarded.

In the following example, only is regarded as a trusted proxy:



trusted_proxies: []

Apply configuration settings

The evoke commands, evoke configuration apply and evoke configuration show, are available to help manage settings in the conjur.yml file.



evoke configuration apply

Applies configuration settings. When initiated, Conjur reads all configuration sources and determines the settings to apply using a predetermined set of precedence rules. If successful, settings are applied and services restart.

evoke configuration show

Lists configuration settings and values, including the source where the applied configuration originated.

Any incoming requests during the restart may experience some latency, but should not be dropped. Once the new configuration is applied, and services have restarted, an event is logged for informational purposes to the standard system logs. If there are errors, evoke terminates the command, issues an error code to the console, and displays the incorrect variable. The configuration of the target node is not updated and Conjur services continue to operate with the prior configuration.

Backwards compatibility

To maintain backwards compatibility, we continue to support the evoke proxy and evoke variable command sets.

You can continue to configure Conjur using existing environment variables and commands. However, note that Conjur reads all configuration sources (existing variables as well as settings in the conjur.yml file) and applies precedence rules to determine the settings to apply.

For more information on precedence rules, contact your CyberArk Professional Service representative.


The evoke proxy commands are deprecated and will be removed in a future release. If you use evoke proxy commands, you'll see a warning message on the console.