I have generated the access token and placed in below mentioned mount path and this token need to be included in the Authorization header when making a request against the retrieve secret endpoint.
How can we achieve it in yaml scripting
volumeMounts:
- mountPath: /run/test
name: conjur-access-token
readOnly: true
If the file containing your token in the mount path is called token
, then you can simply do (assuming that you use curl):
curl -H "Authorization: Bearer $(cat /run/test/token)" ...
This question is referencing CyberArk's Conjur Secrets Manager's Kubernetes authenticator. It uses a sidecar authenticator client to keep an authenticated session token for Conjur's API refreshed in a shared volume mount with an application container running within a Kubernetes pod. This allows the application container to request secret values Just-in-Time (JiT) from the Conjur API with a single API call.
There is a file located at /run/test/conjur-access-token
(according to the manifest snippet you provided) that contains the authenticated session token to use to connect to the Conjur API. Your application container needs to read /run/test/conjur-access-token
and use it in the Authorization header as a Token-based authorization. To use curl
, this would look like:
curl -H "Authorization: Token token='$(cat /run/test/conjur-access-token)'" https://conjur.example.com/secrets/myorg/variable/prod%2Fdb%2Fpassword
Where:
/run/test/conjur-access-token
is the path to the shared volume mount of the application container and sidecar Kubernetes authenticator client.conjur.example.com
is the Base URL for your Conjur Follower in the Kubernetes cluster (or outside, if that's the deployment method).myorg
is the organzation account configured at the time of Conjur deployment and configuration.prod%2Fdb%2Fpassword
is the URLified secret variable path in Conjur. This would be referenced otherwise as prod/db/password
but since forward-slashes are part of URL/URI, we need this URLified to %2F
.