Conjur Cloud Integration
GGScout supports integration with Conjur Cloud to collect and monitor your secrets. This guide will help you set up and configure the integration.
Supported Features
- Multiple secret versions collection
- CyberArk authentication
- Tenant-specific configuration
- Subdomain support
Configuration
To configure GGScout to work with Conjur Cloud, add the following configuration to your ggscout.toml file:
CyberArk Authentication
[sources.conjur]
type = "conjurcloud"
auth_mode = "cyberark"
conjur_url = "${CONJUR_URL}"
client_id = "${CYBERARK_CLIENT_ID}"
client_secret = "${CYBERARK_CLIENT_SECRET}"
tenant_id = "${CYBERARK_TENANT_ID}"
subdomain = "my-company"
fetch_all_versions = true
mode = "read"
env = "production"
[[sources.conjur.include]]
resource_ids = ["app/*", "database/*", "api-key"]
[[sources.conjur.exclude]]
resource_ids = ["test/*", "temp/*", "old-secret"]
Workload Authentication
[sources.conjur]
type = "conjurcloud"
auth_mode = "workload"
api_key = "${CONJUR_API_KEY}"
login = "${CONJUR_LOGIN}"
subdomain = "my-company"
fetch_all_versions = true
mode = "read"
env = "production"
[[sources.conjur.include]]
resource_ids = ["app/*", "database/*", "api-key"]
[[sources.conjur.exclude]]
resource_ids = ["test/*", "temp/*", "old-secret"]
Configuration Parameters
| Parameter | Description | Required | Default Value |
|---|---|---|---|
type | Must be set to "conjurcloud" | Yes | |
auth_mode | Authentication mode (one of: "cyberark", "workload") | Yes | |
subdomain | Your company's subdomain | Yes | |
fetch_all_versions | Whether to collect all versions of secrets | Yes | |
mode | Integration mode (one of: "read", "write", "read/write") | No | "read" |
env | Environment label for categorizing secrets (e.g., "production", "staging", "development") | No | |
include | List of path patterns to include in secret collection | No | |
exclude | List of path patterns to exclude from secret collection | No |
With additional parameters depending on the chosen authentication mode:
For CyberArk Authentication:
| Parameter | Description | Required | Default Value |
|---|---|---|---|
client_id | The client ID for authentication | Yes | |
client_secret | The client secret for authentication | Yes | |
tenant_id | The tenant ID | Yes |
For Workload Authentication:
| Parameter | Description | Required | Default Value |
|---|---|---|---|
api_key | Your Conjur API key | Yes | |
login | Your Conjur login | Yes |
Authentication
GGScout supports authentication with Conjur Cloud through:
- CyberArk Integration: Using client ID and secret
- Environment Variables: Using standard Conjur environment variables
Environment Variables
CONJUR_URL: The Conjur Cloud URL
For CyberArk Authentication:
CYBERARK_CLIENT_ID: Your CyberArk client IDCYBERARK_CLIENT_SECRET: Your CyberArk client secretCYBERARK_TENANT_ID: Your CyberArk tenant ID
For Workload Authentication:
CONJUR_API_KEY: Your Conjur API keyCONJUR_LOGIN: Your Conjur login
Best Practices
- Use environment variables for sensitive credentials
- Follow the principle of least privilege for access policies
- Enable
fetch_all_versionsto track changes in your secrets over time - Regularly rotate client secrets
- Use separate subdomains for different environments
- Implement proper secret rotation policies
