https://github.com/aslancarlos/appengine-java-conjur
Spring Boot application using GCP JWT to authenticate with Conjur Cloud via AUTHN-GCP.
https://github.com/aslancarlos/appengine-java-conjur
authn-gcp conjur federated-identity gcp jwt machine-identity spring-boot
Last synced: 1 day ago
JSON representation
Spring Boot application using GCP JWT to authenticate with Conjur Cloud via AUTHN-GCP.
- Host: GitHub
- URL: https://github.com/aslancarlos/appengine-java-conjur
- Owner: aslancarlos
- License: apache-2.0
- Created: 2024-11-18T03:24:24.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2026-05-28T00:55:05.000Z (about 1 month ago)
- Last Synced: 2026-05-28T01:22:55.981Z (about 1 month ago)
- Topics: authn-gcp, conjur, federated-identity, gcp, jwt, machine-identity, spring-boot
- Language: Java
- Size: 29.5 MB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# Spring Boot Application with Conjur Authn-GCP Integration
A Spring Boot application that authenticates to CyberArk Conjur Cloud using Google Cloud Platform identity tokens (`authn-gcp`). Instead of storing a long-lived Conjur API key, the app obtains a short-lived GCP JWT and trades it for Conjur access — a federated, zero-static-secret pattern suited for workloads running on GCP (App Engine, Cloud Run, GKE, Compute Engine).
**Note**: This project is intended as a proof of concept and test for this integration. It does not have official support from CyberArk.
## Features
- **Spring Boot**: Utilizes the Spring Boot framework for building RESTful APIs.
- **Conjur Integration**: Securely manages secrets using Conjur, an enterprise-grade secret management tool.
- **Authn-GCP Authentication**: Authenticates with Conjur via Google Cloud Platform (GCP) using JSON Web Tokens (JWT).
- **Environment-specific Secret Management**: Supports different environments for credential retrieval, allowing dynamic and secure configuration.
## Prerequisites
- Java 11 or higher
- Maven 3.6 or higher
- Google Cloud Platform account with the necessary IAM roles
- Conjur configured with Authn-GCP integration
## Getting Started
### Clone the Repository
```sh
git clone https://github.com/your-username/your-repository-name.git
cd your-repository-name
```
### Configuration
1. **Conjur Configuration**:
- Set up Conjur and enable the `authn-gcp` authenticator.
- Define the required policies and load the secrets.
2. **Google Cloud Configuration**:
- Ensure that the GCP service account being used has the necessary permissions to generate identity tokens.
- Add the GCP service account to the Conjur policy to allow authentication.
3. **Application Properties**:
- Update `src/main/resources/application.properties` with your configuration values.
```properties
conjur.auth.url=https://your-conjur-instance/authn-gcp/your-account-name
conjur.secrets.url=https://your-conjur-instance/secrets/your-account-name/variable/
gcp.project-id=your-gcp-project-id
gcp.service-account-email=your-service-account-email
```
- Replace the placeholders with your actual configuration values.
### Building the Project
```sh
mvn clean install
```
### Running the Application
```sh
mvn spring-boot:run
```
The application will start on port `8080` by default. You can access it at `http://localhost:8080/conjur`.
## Usage
Once the application is running, it will authenticate with Conjur using the provided GCP JWT and retrieve the configured secrets.
## Important Parameters to Update
Make sure to update the following parameters before running the application:
- Update the values of secrets in `ConjurController.java` to ensure the correct secret paths are used.
- `conjur.auth.url`: The Conjur authentication URL, including the Authn-GCP endpoint.
- `conjur.secrets.url`: The URL for accessing secrets in Conjur.
- `gcp.project-id`: The Google Cloud project ID where the service account resides.
- `gcp.service-account-email`: The email of the service account being used for authentication.
## Troubleshooting
- **Authentication Errors**: Make sure that the GCP service account has the correct permissions and that the Conjur policy allows it to authenticate.
- **Secret Retrieval Errors**: Verify that the secret paths in Conjur are correct and that the application has the right permissions to access them.
## Contributing
Contributions are welcome! Please fork this repository and open a pull request to propose any changes.
## License
This project is licensed under the Apache License 2.0 — see the [LICENSE](LICENSE) file for details.
## Contact
If you have any questions or need further assistance, feel free to contact us.