Configure CyberArk Secrets Manager (Conjur) as a vault backend

Uses: Kong Gateway deck

Incompatible with

konnect

Prerequisites

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

Export your license to an environment variable:

 export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

Copied!

Run the quickstart script:

curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

Copied!

Once Kong Gateway is ready, you will see the following message:

 Kong Gateway Ready

decK v1.43+

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.

This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance. We recommend upgrading your decK installation to take advantage of this tool.

You can check your current decK version with deck version.

CyberArk Secrets Manager

To run this tutorial, you’ll need CyberArk Secrets Manager running with a secret stored.

If you don’t already have CyberArk Secrets Manager, you can follow the Docker quickstart guide to setup an OSS environment, define a policy, and store a secret.

If you’re running CyberArk Secrets Manager in Docker, change the proxy ports in docker-compose.yml to "9443:443". Make sure the Kong Gateway and CyberArk Secrets Manager containers are using the same Docker network. If they aren’t, you can run docker network connect kong-quickstart-net conjur_server to connect the CyberArk Secrets Manager compose stack to the Kong Gateway quickstart network.

Export the CyberArk Secrets Manager environment variables:

export DECK_CONJUR_ENDPOINT_URL="http://conjur_server:80"
export DECK_CONJUR_ACCOUNT="myConjurAccount"
export DECK_CONJUR_LOGIN="host/BotApp/myDemoApp"
export DECK_CONJUR_API_KEY="YOUR-API-KEY"

Copied!

These environment variables use values from the CyberArk Secrets Manager Docker quickstart. If you are running CyberArk Secrets Manager in a different environment, modify them as needed.

You can find your API key listed under myConjurAccount:host:BotApp/myDemoApp in the my_app_data file.

Create a Vault entity for CyberArk Secrets Manager Vault

Using decK, create a Vault entity with the required parameters for CyberArk Secrets Manager:

echo '
_format_version: "3.0"
vaults:
  - name: conjur
    description: Storing secrets in CyberArk Secrets Manager Vault
    prefix: conjur-vault
    config:
      endpoint_url: "${{ env "DECK_CONJUR_ENDPOINT_URL" }}"
      account: "${{ env "DECK_CONJUR_ACCOUNT" }}"
      login: "${{ env "DECK_CONJUR_LOGIN" }}"
      auth_method: api_key
      api_key: "${{ env "DECK_CONJUR_API_KEY" }}"
' | deck gateway apply -

Copied!

Validate

To validate that the secret was stored correctly in CyberArk Secrets Manager, you can call a secret from your vault using the kong vault get command within the Data Plane container:

docker exec kong-quickstart-gateway kong vault get {vault://conjur-vault/BotApp%2FsecretVar}

Copied!

This assumes your secret was stored in BotApp/secretVar in CyberArk Secrets Manager.

If the Vault was configured correctly, this command should return the value of the secret. You can use {vault://my-conjur/BotApp%2FsecretVar} to reference the secret in any referenceable field.

For more information about supported secret types, see What can be stored as a secret.

Cleanup

Clean up CyberArk Secrets Manager

If you’re using the CyberArk Secrets Manager Docker quickstart, you can clean up CyberArk Secrets Manager by deleting the conjur-quickstart Docker compose stack.

Destroy the Kong Gateway container

curl -Ls https://get.konghq.com/quickstart | bash -s -- -d

Copied!

FAQs

How do I rotate my secrets in CyberArk Secrets Manager and how does Kong Gateway pick up the new secret values?

You can rotate your secret in CyberArk Secrets Manager by creating a new secret version with the updated value. You’ll also want to configure the ttl settings in your Kong Gateway Vault entity so that Kong Gateway pulls the rotated secret periodically.

How are CyberArk Secrets Manager secrets referenced by Kong Gateway?

Because CyberArk Secrets Manager secrets are organized under policies, when referencing secrets defined in a non-root policy, you must encode the / in the secret reference. For example: {vault://conjur-vault/BotApp%2FsecretVar} is correct, {vault://conjur-vault/BotApp/secretVar} is incorrect.

Can users and hosts be used to authenticate CyberArk Secrets Manager Vaults?

Yes. If you were authenticating the Dave user, you’d configure "login": "Dave@BotApp" along with the API key for Dave. If you were authenticating the host, you’d use "login": "host/BotApp/myDemoApp" along with the host API key.

Can I configure Vault in a different way without using the Vault entity directly?

Yes, you can also configure a Vault in one of the following ways:

Using environment variables, set at Kong Gateway startup
Using parameters in kong.conf, set at Kong Gateway startup

See the Vault reference for your provider for the available parameters and their format in each method.

Next Steps

Review the Vaults entity

What can be stored as a secret?

Configure CyberArk Secrets Manager (Conjur) as a vault backend

Prerequisites

Kong Gateway running

decK v1.43+

CyberArk Secrets Manager

Create a Vault entity for CyberArk Secrets Manager Vault

Validate

Cleanup

Clean up CyberArk Secrets Manager

Destroy the Kong Gateway container

FAQs

Next Steps

Help us make these docs great!

Still need help?