Key Concepts » Secrets
Secrets in Conjur Enterprise
Conjur Enterprise provides encrypted, access controlled, and audited management of infrastructure secrets such as database passwords, SSL certificates and keys, SSH keys, and cloud credentials.
Each secret is stored on the Conjur server in a record called a variable.
fetchers- roles which can fetch the secret
updaters- roles which can modify the secret
Each time a secret is updated or fetched, a Conjur audit record is written, which includes the following information (and more):
- The client (user or host) identity
- id of the secret
- Requested action (
- Whether the action was permitted or not
The best way to provide secrets to deployed applications and services is by placing them into the process environment. Secrets are fetched at runtime and injected as environment variables into a process' environment. When the process exits, the secrets are not left on the system.
To facilitate this workflow, we have provided
secrets.yml, an open standard for tracking secrets in source control.
This standard maps environment variable names to paths secrets can be retrieved from. An example:
AWS_ACCESS_KEY_ID: !var aws/$environment/iam/user/robot/access_key_id AWS_SECRET_ACCESS_KEY: !var aws/$environment/iam/user/robot/secret_access_key AWS_REGION: us-east-1 SSL_CERT: !var:file ssl/certs/private
You can then use Summon to read
secrets.yml files and provide secrets to any
tooling that accepts environment variables. Summon supports pluggable secrets providers; Conjur is one.
summon -f secrets.yml chef-client --once