curl -o docker-compose.yml https://www.conjur.org/get-started/docker-compose.quickstart.yml
sed -i ' ' " s/^version: '2'$/version: '2.2'/g" ' ' ' /^ CONJUR_ACCOUNT:$/d' ' ' ' /^ CONJUR_AUTHN_API_KEY:$/d' ' ' ' /^ CONJUR_AUTHN_LOGIN: admin$/d' # cleanupunset CONJUR_ACCOUNT CONJUR_APPLIANCE_URL CONJUR_AUTHN_LOGIN CONJUR_AUTHN_API_KEY CONJUR_DATA_KEY
docker-compose stop
docker-compose rm -v -f
docker-compose run --no-deps --rm conjur data-key generate > data_key
export CONJUR_DATA_KEY=" $( < data_key) " echo ${CONJUR_DATA_KEY}
docker-compose up -d
export CONJUR_ACCOUNT=quick_start
echo ${CONJUR_ACCOUNT}
docker-compose exec conjur conjurctl account create ${CONJUR_ACCOUNT} > ${CONJUR_ACCOUNT}
export CONJUR_AUTHN_API_KEY=$( grep ' API' ${CONJUR_ACCOUNT} | sed ' s/API key for admin: //g' ) echo ${CONJUR_AUTHN_API_KEY} docker-compose exec -e CONJUR_ACCOUNT=${CONJUR_ACCOUNT} -e CONJUR_AUTHN_API_KEY=${CONJUR_AUTHN_API_KEY} client bash
conjur init -u conjur -a ${CONJUR_ACCOUNT}
conjur authn login -u admin # password is api key from account create step# unnecessary, but leaving for reference<< 'EOF '- !policy
id: root
body:
- !variable secret
EOF << 'EOF '- !policy
id: ansible-executors-dynamic
body:
- !layer
- !host-factory
annotations:
description: automatically enroll new Ansible executors
layers: [ !layer ]
# conspicuously missing: any explicitly-defined !host objects
# these will be created implicitly by the host factory on-demand
EOF export HOST_FACTORY_TOKEN=$( conjur hostfactory tokens create --duration-days=365 ansible-executors-dynamic | jq --raw-output ' .[].token' ) echo ${HOST_FACTORY_TOKEN}
conjur list
conjur authn logout Install Ansible in client container apt-get update && apt-get -y install python-dev
curl https://bootstrap.pypa.io/get-pip.py | python -
pip install --upgrade pip ansible Run Ansible in client container cd ${HOME}
cat > ansible.cfg << EOF [defaults]
retry_files_enabled = False
roles_path = ./roles
EOF > requirements.yml << EOF # from GitHub
- src: git+https://github.com/dericcrago/ansible-conjur-lookup-plugin
version: python3
name: cyberark.conjur-lookup-plugin
# from Galaxy
- src: cyberark.conjur-host-identity
EOF > playbook_self_register.yml << EOF - hosts: all
connection: local
tasks:
- include_role:
name: cyberark.conjur-host-identity
vars:
conjur_appliance_url: "{{lookup('env', 'CONJUR_APPLIANCE_URL')}}"
conjur_account: "{{lookup('env', 'CONJUR_ACCOUNT')}}"
conjur_host_factory_token: "{{lookup('env', 'HOST_FACTORY_TOKEN')}}"
conjur_host_name: "conjur_{{inventory_hostname}}"
EOF > playbook_lookup_secret.yml << EOF - hosts: all
connection: local
tasks:
- include_role:
name: cyberark.conjur-lookup-plugin
- debug:
var: root_secret
vars:
root_secret: "{{ lookup('retrieve_conjur_variable', 'root/secret') }}"
EOF | grep -E " CONJUR|TOKEN" # CONJUR_ACCOUNT=quick_start# HOST_FACTORY_TOKEN=1cznx3w2s0vzy31p14vxr2zf0w471a3qnz43evyj3a1yfeacn230ctsd# CONJUR_APPLIANCE_URL=http://conjur# CONJUR_AUTHN_API_KEY=2amwxp62snb0w8hjtek53myhrtk14txptk942zfrr54zc61dyfjx7# CONJUR_MAJOR_VERSION=5# CONJUR_VERSION=5# keeping this for later since we're playing both ansible console and 'remote' host<< 'EOF '- !permit
resource: !variable root/secret
privileges: [ read, execute ]
roles: !host conjur_localhost
EOF logout
unset CONJUR_AUTHN_API_KEY HOST_FACTORY_TOKEN
printenv | grep -E " CONJUR|TOKEN" # CONJUR_ACCOUNT=quick_start# CONJUR_APPLIANCE_URL=http://conjur# CONJUR_MAJOR_VERSION=5# CONJUR_VERSION=5
