Friday, August 5, 2022

CyberArk Conjur , authenticators and integrations

During the past few weeks, I have described what a secrets manager is and I have given an overview of the architecture and system requirements of CyberArk Conjur. 

A secrets manager can't do his job if he can't talk to those who need to ask him for secrets, and that's where Conjur's magic comes in!

The "authenticators" are responsible of the authentication process in Conjur and they are specialised to make it in the most secure way depending on the service. 

Here is the list of the authenticators currently supported :

authnDefines the Conjur default authenticator. Authentication for both users and hosts is based on an ID and API key. 
authn-oidcLeverages the identity layer provided by OIDC to allow applications to authenticate with Conjur and retrieve secrets needed for connecting to services such as a database.
authn-iamEnables an AWS resource to use its AWS IAM role to authenticate with Conjur.


Enables an Azure resource to authenticate with Conjur


Enables an application to authenticate to Conjur using a JWT from a JWT Provider.


Enables a Google Cloud Platform resource to authenticate with Conjur

authn-k8sAuthenticates hosts that are Kubernetes resources, such as a Kubernetes namespace, deployment, stateful set, and others. Authentication is certificate-based using a mutual TLS connection.
authn-ldapAuthenticates users based on an LDAP directory.

By default, after the initial setup, authn is the only authenticator enabled and it's responsible of the Conjur access with username or API key (randomly generated between 51 and 56 characters). 

When integrations are needed, for example with a Kubernetes cluster, you need to activate and configurate the authn-k8s authenticator
This authenticator can establish a secure mTLS connection compliant with Spiffie framework, as described in the following diagram (click here for more details): 

If  you need integrations with cloud identities supporting JWT authentications, like Google Apigee, you will enable the authn-jwt authenticator that will perform the integrations as below:

These were just two examples within the multiple possible secure integration allowed by the authenticators, the following is more complete list:
  • Kubernetes (locali o cloud) 
  • API gateway
  • Jenkins
  • Ansible
  • Puppet
  • Terraform
  • Cloud services
If the scenario described sound interesting for your needs, Conjur can definitely be the right choice, so contact your sales representative at CyberArk or your preferred CyberArk business partner..

No comments:

Post a Comment