CyberArk Secrets Manager provider for Summon.
Pre-built binaries and packages are available from GitHub releases here.
Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.
brew tap cyberark/tools
brew install summon-conjurdeb and rpm files are attached to new releases.
These can be installed with dpkg -i summon-conjur_*.deb and
rpm -ivh summon-conjur_*.rpm, respectively.
Note Check the release notes and select an appropriate release to ensure support for your version of CyberArk Secrets Manager.
Use the auto-install script. This will install the latest version of summon-conjur.
The script requires sudo to place summon-conjur in dir /usr/local/lib/summon.
curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/main/install.sh | bashOtherwise, download the latest release and extract it to the directory /usr/local/lib/summon.
Give summon-conjur a variable name and it will fetch it for you and print the value to stdout.
$ summon-conjur prod/aws/iam/user/robot/access_key_id
flgwkeatfghhdqkflaqiwoagsmfgxoolYou can also use interactive mode by starting the command without any arguments and then passing paths to secrets one by one. This way you can fetch multiple values in a single command run. Keep in mind that by using interactive mode outputted values will be in BASE64 format.
$ summon-conjur
prod/aws/iam/user/robot/access_key_id
Zmxnd2tlYXRmZ2hoZHFrZmxhcWl3b2Fnc21mZ3hvb2w=
prod/aws/s3/bucket_name/access_key_id
YWNudmdlb3dycmd4dW1ic2tncW51Zm50dmRvYWVic3A=Usage of summon-conjur:
-h, --help
show help (default: false)
-V, --version
show version (default: false)
-v, --verbose
be verbose (default: false)Summon is a command-line tool that reads a file in secrets.yml format and injects secrets as environment variables into any process. Once the process exits, the secrets are gone.
As an example let's use the env command:
Following installation, define your keys in a secrets.yml file
AWS_ACCESS_KEY_ID: !var aws/iam/user/robot/access_key_id
AWS_SECRET_ACCESS_KEY: !var aws/iam/user/robot/secret_access_keyBy default, summon will look for secrets.yml in the directory it is called from and export the secret values to the environment of the command it wraps.
Wrap the env in summon:
$ summon --provider summon-conjur env
...
AWS_ACCESS_KEY_ID=AKIAJS34242K1123J3K43
AWS_SECRET_ACCESS_KEY=A23MSKSKSJASHDIWM
...summon resolves the entries in secrets.yml with the CyberArk Secrets Manager provider and makes the secret values available to the environment of the command env.
This provider uses the same configuration pattern as the CyberArk Secrets Manager CLI to connect to Conjur. Specifically, it loads configuration from:
.conjurrcfiles, located in the home and current directories, or at the path specified by theCONJURRCenvironment variable.- Reads the
.conjurrcfile from/etc/conjur.confon Linux/macOS andC:\Windows\conjur.confon Windows. - Environment variables:
- Appliance URLs
CONJUR_APPLIANCE_URL
- SSL certificate
CONJUR_CERT_FILECONJUR_SSL_CERTIFICATE
- Authentication
- Account
CONJUR_ACCOUNT
- Login
CONJUR_AUTHN_LOGINCONJUR_AUTHN_API_KEY
- Token
CONJUR_AUTHN_TOKENCONJUR_AUTHN_TOKEN_FILE
- JWT Token
CONJUR_AUTHN_JWT_SERVICE_ID(e.g.kubernetes)JWT_TOKEN_PATH(optional) (default:/var/run/secrets/kubernetes.io/serviceaccount/token)
- AWS/Azure/GCP
CONJUR_AUTHN_TYPE(set toiam,azure, orgcp)CONJUR_SERVICE_ID(except for GCP)CONJUR_AUTHN_JWT_HOST_IDCONJUR_AUTHN_JWT_TOKEN(optional - if not set, token will be read from the metadata service)
- Account
- Credential Storage
CONJUR_CREDENTIAL_STORAGE(options:keyring,file,none)CONJUR_NETRC_PATH(custom path for.netrcfile when usingfilestorage)
- Appliance URLs
If authentication details are not provided via environment variables,
summon-conjur attempts to read them from the system keychain or ~/.netrc,
stored there by conjur login.
The provider supports multiple credential storage backends for caching authentication credentials:
- Uses the operating system's native credential storage (e.g., macOS Keychain, Windows Credential Manager, Linux Secret Service)
- Automatically selected if available on the system
- Most secure option as credentials are encrypted by the OS
- Stores credentials in a
.netrcfile (defaults to~/.netrc) - Used as fallback when keyring is unavailable
- Can be explicitly selected for compatibility
- Disables credential caching entirely
- Useful for ephemeral environments or when credentials are always provided via environment variables
- Use this option in environments where there are no file permissions to create a
.netrcfile, such as restricted containers, read-only filesystems, or ephemeral compute instances.
The storage backend can be configured via the CONJUR_CREDENTIAL_STORAGE environment variable or in the .conjurrc file:
# Use file-based storage with custom path
credential_storage: "file"
netrc_path: "/etc/conjur.identity"
# Or use keyring explicitly
credential_storage: "keyring"
# Or disable credential caching
credential_storage: "none"If not specified, the provider automatically selects keyring when available, otherwise falls back to file.
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.