CyberArk Conjur Cloud Credential Provider Secret Path Expressions

Use the path expressions listed in this topic to use the CyberArk Conjur Cloud credential providers in your source authentication configurations. For more information, refer to Retrieve a secret in the CyberArk documentation.

Note
The linked document is not maintained by SailPoint and is subject to change without notice.

The CyberArk Conjur Cloud Credential Provider can provide any field supported by CyberArk Conjur Cloud.

Path syntax: secrets://{CredentialProviderSourceName}/{ResourceIdOfSecret}

Note
The ResourceIdofSecret attribute can be obtained from Conjur Cloud > Resources then select the created Secret.

For example:

Before Encoding

secrets://CyberarkConjurCloudSource/data/vault/LDAP Safe/Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username

Important
The URL path should always start with the prefix, secrets://. Each URL attribute should be URL-encoded. For example, CredentialProviderSourceName, ResourceIdOfSecret, the prefix, and the suffix must be encoded separately. Each URL attribute in the path is case-sensitive.

After Encoding

After you encode the URL path, it should appear as follows:

secrets://CyberarkConjurCloudSource/data%2Fvault%2FLDAP%20Safe%2FOperating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount%2Fusername

The following is an explanation of the attributes of this URL:

  • CyberarkConjurCloudSource – The Configured Credential Provider in the Credential Provider Section.

  • data%2Fvault%2FLDAP%20Safe%2FOperating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount%2Fusername – The encoded resource ID of the secret.

Tip
Use urlencoder.org to encode your URL attributes.

Path syntax: secrets://{CredentialProviderSourceName}/{ResourceIdOfSecret}

For example:

Before Encoding

secrets://CyberarkConjurCloudSource/data/vault/LDAP Safe/Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/password

Important
The URL path should always start with the prefix, secrets://. Each URL attribute should be URL-encoded. For example, CredentialProviderSourceName, ResourceIdOfSecret, the prefix, and the suffix must be encoded separately. Each URL attribute in the path is case-sensitive.

After Encoding

After you encode the URL path, it should appear as follows:

secrets://CyberarkConjurCloudSource/data%2Fvault%2FLDAP%20Safe%2FOperating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount%2Fpassword

The following is an explanation of the components of this URL:

  • CyberarkConjurCloudSource – Configured Credential Provider in the Credential Provider Section.

  • data%2Fvault%2FLDAP%20Safe%2FOperating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount%2Fusername – The encoded resource ID of the secret.

Tip
Use urlencoder.org to encode your URL attributes.

If any secret paths have a prefix or a suffix, you must append a query parameter to the secret path as follows:

  • To add a prefix – ?prefix=<prefix>

    For example, if the secret value returned after evaluation is LocalAdmin, but the complete value required by the secret field is DomainOne\LocalAdmin then the secret path expression will be as follows to add the required prefix:

    secrets://CyberarkConjurCloudSource/data%2Fvault%2FLDAP%20Safe%2FOperating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount%2Fusername?prefix=DomainOne%5C

  • To add a suffix – ?suffix=<suffix>

    For example, if the secret value returned after evaluation is localadministrator, but the complete value required by the secret field is localadminstrator@sp.com then the secret path expression will be as follows to add the required suffix:

    secrets://CyberarkConjurCloudSource/data%2Fvault%2FLDAP%20Safe%2FOperating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount%2Fusername?suffix=%40sp.com

Important
All input parameters must be encoded.