Conjur provider for Summon.
Note Use the summon-conjurcli provider if you are on Conjur v4.4.0 or earlier.
Note You must set environment variable
CONJUR_MAJOR_VERSION=4 for this provider to work with Conjur v4.9.
Pre-built binaries and packages are available from GitHub releases here.
Using summon-conjur with Conjur OSS
Are you using this project with Conjur OSS? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.
brew tap cyberark/tools brew install summon-conjur
Linux (Debian and Red Hat flavors)
rpm files are attached to new releases.
These can be installed with
dpkg -i summon-conjur_*.deb and
rpm -ivh summon-conjur_*.rpm, respectively.
Note Check the release notes and select an appropriate release to ensure support for your version of Conjur.
Use the auto-install script. This will install the latest version of summon-conjur.
The script requires sudo to place summon-conjur in dir
curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/master/install.sh | bash
Otherwise, download the latest release and extract it to the directory
Usage in isolation
Give summon-conjur a variable name and it will fetch it for you and print the value to stdout.
$ # export CONJUR_MAJOR_VERSION=4 for Conjur v4.9 $ summon-conjur prod/aws/iam/user/robot/access_key_id 8h9psadf89sdahfp98
Usage of summon-conjur: -h, --help show help (default: false) -V, --version show version (default: false) -v, --verbose be verbose (default: false)
Usage as a provider for Summon
Summon is a command-line tool that reads a file in secrets.yml format and injects secrets as environment variables into any process. Once the process exits, the secrets are gone.
As an example let's use the
Following installation, define your keys in a
AWS_ACCESS_KEY_ID: !var aws/iam/user/robot/access_key_id AWS_SECRET_ACCESS_KEY: !var aws/iam/user/robot/secret_access_key
By default, summon will look for
secrets.yml in the directory it is called from and export the secret values to the environment of the command it wraps.
env in summon:
$ # export CONJUR_MAJOR_VERSION=4 for Conjur v4.9 $ summon --provider summon-conjur env ... AWS_ACCESS_KEY_ID=AKIAJS34242K1123J3K43 AWS_SECRET_ACCESS_KEY=A23MSKSKSJASHDIWM ...
summon resolves the entries in secrets.yml with the conjur provider and makes the secret values available to the environment of the command
This provider uses the same configuration pattern as the Conjur CLI Client to connect to Conjur. Specifically, it loads configuration from:
.conjurrcfiles, located in the home and current directories, or at the path specified by the
- Reads the
/etc/conjur.confon Linux/macOS and
- Environment variables:
CONJUR_MAJOR_VERSION- must be set to
4in order for summon-conjur to work with Conjur v4.9.
- Appliance URLs
- SSL certificate
are not provided, the username and API key are read from
~/.netrc, stored there by
conjur authn login.
$HOME/.netrc is used as the default
.netrc location but you can also specify its location
... netrc_path: "/etc/conjur.identity" ...
In general, you can ignore the
you need to specify, for example, an authn proxy.
The provider will fail unless all of the following values are provided:
CONJUR_MAJOR_VERSION=4for Conjur v4.9
- An appliance url (
- An organization account (
- A username and api key, or Conjur authn token, or a path to
CONJUR_AUTHN_TOKEN_FILEa dynamic Conjur authn token
- A path to (
CONJUR_CERT_FILE) or content of (
CONJUR_SSL_CERTIFICATE) the appliance's public SSL certificate
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.