Cloud native security

Using Conjur Secrets in Containerized Ansible Tower Applications

Part Three of the Ansible Tower Technical Deep Dive Series

The Ansible Tower integration with CyberArk Conjur allows users and administrators to map sensitive credentials (like passwords, SSH private keys, and the external values of secrets stored) in a secrets management system instead of providing them to Ansible Tower directly.

Secrets management refers to the operations and systems that we use to protect our access credentials. A strong secrets management solution is scalable, easy to incorporate, and includes the following features:

  • Compact storage and encryption of all passwords, tokens, access keys, and encryption keys
  • Credentials access management
  • Audit reports for credential use
  • Sporadic rotation of credentials and encryption keys

Conjur provides all the functionalities mentioned above and more.

It also includes integrations for Ansible Tower (our focus today), CyberArk Application Identity Manager (AIM), HashiCorp Vault Key-Value Store (KV), HashiCorp Vault SSH Secrets Engine, and Microsoft Azure Key Management System (KMS).

To learn more about Ansible Tower and how it integrates with Conjur, check out Introduction to Secrets Management in Ansible Tower  and Deploying Conjur Using Ansible Tower . In this article, we’ll cover the following:

  • A brief exploration of how secrets management works in Ansible Tower
  • How to provide secrets to a containerized application deployed with Ansible Tower and running via Docker
  • How to ensure the secrets are accessible to containerized apps running on the node
  • An end-to-end look at how to make this work, and a demonstration on how it works with a simple Java application

In addition to containerized Ansible Tower applications, you can also use Conjur secrets in VM-deployed Ansible Tower applications  and Ansible Tower Kubernetes clusters .

Secrets Management in Ansible Tower

Secrets management experts like CyberArk Conjur take care of many challenges. These include developing the complex skills required to manage secrets within applications, and dealing with how to protect primary passwords or keys.

Until recently, these secrets were often hard-coded in configuration files or code. Which admittedly has concerning security issues.

Conjur offers a harmonious way to fetch secrets from leading continuous integration and continuous deployment (CI/CD) tools like Ansible Tower (which requires secrets to gain access to database resources, SSH servers, and so on). It does this by ensuring that each Ansible-managed remote node is responsible for using its own identity to retrieve secrets from Conjur, instead of all secrets moving through the Ansible Controller.

Secrets management works by integrating natively to configuration files to remove unprotected secrets from DevOps tools in CI/CD pipelines, while providing robust secrets rotation and complete audit trails.

Providing Secrets to a Containerized Application Deployed with Ansible Tower and Running Via Docker

Containerized applications deployed with Ansible Tower need secrets to obtain protected resources. However, it’s daunting to securely identify a container in an environment that’s constantly changing. But, you still need to authenticate if it’s authorized to access a particular resource.

Conjur provides a solution to this challenge by ensuring that each container has unique role-based access privileges. In other words, Conjur ensures rigorous validation of services and applications running in containers and ensures secrets are shared securely with their intended recipients.

To provide secrets to a containerized application running via Docker, we can use the Conjur_variable plugin. The plugin is part of the CyberArk collection used to retrieve credentials from Conjur with the host’s Conjur identity or environment variables.

As a prerequisite, you must have the following parameters and meet these requirements on the local controller node that executes the lookup. These include:

  • _term (string), which is a variable path that you must provide
  • as_file (boolean), which is a parameter that stores the result in a temporary file and returns the same
  • authn_token_file (path), which defines the path to the access token file
  • config_file (path), which shows the path to the Conjur configuration file, which is a YAML file
  • identity_file (path), which shows the path to the Conjur identity file
  • validate_certs (boolean), which is a flag to control SSL certificate validation

Let’s look at an example:

hosts: localhost
      - cyberark.conjur
      - name: Lookup variable in Conjur
          msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}"

All things being equal, this should return a key called _raw, which is a string and a success message that reads “Value stored in Conjur.”

Ensuring Secrets are Only Available to Containerized Apps Running on the Node

Conjur is primarily for containerized environments. It integrates completely and expertly with popular container platforms, which helps developers centralize and simplify the management of secrets for containers in public or private cloud environments.

Conjur handles access to containerized applications by assigning each container or pod a unique set of role-based access privileges for fine-grained control of services, applications, and secrets. Central audit trails provide visibility into critical security events.

After you start Conjur, you should set the CONJUR_AUTHENTICATORS environment variable to the IAM authenticator, and pass an environment name to it.

For instance, for an environment called “staging,” CONJUR_AUTHENTICATORS should equal authn-iam/staging like so:

CONJUR_AaUTHENTICATORS = authn-iam/staging

Afterwards, you can define a policy for the authenticator by specifying the secrets your container needs and by allowing the application to authenticate using the authenticator.

Retrieving Conjur Secrets from a Containerized Application in a Simple Java Application

You can use the Conjur Java API to provide a robust programmatic interface to a Conjur server within your Java application. The Java API allows you to authenticate with Conjur and fetch secrets in a controlled manner.

The Java API integration with Conjur also provides many additional benefits. These include — but are not limited to — being able to store security policies as code and automating secret rotation.

Follow the steps described in the Conjur API for Java GitHub repository for more information.


In short, Conjur plays nicely with Ansible Tower. Integrating both goes beyond simply allowing DevOps and Security teams to secure and manage secrets used by CI/CD tools. You can also use this collaborative solution to provision and secure secrets for new applications and systems.

We recommend DevOps and Security teams start using Conjur and Ansible Tower together because they both embed secrets management best practices throughout the DevOps pipeline. These include strong authentication, fine-grained management, audit trails, role-based access control, and credential rotation.

With CyberArk handling the secrets, Ansible Tower helps you scale your infrastructure rapidly while keeping your secrets safe.

To strengthen your secrets management, consider using Conjur and Ansible Tower together today.