psConjur is a PowerShell module for authenticating to and retrieving secrets from Conjur’s REST API. It supports session-based authentication to streamline repeated requests.
You can install psConjur directly from the PowerShell Gallery:
Install-Module -Name psConjur -Scope CurrentUserDownload the module files and import them into your PowerShell session:
Import-Module .\psConjur\psConjur.psd1Initialize a session with Conjur to set up common parameters (ApplianceUrl, Account, and AuthToken) for reuse across multiple commands:
Initialize-ConjurSession -ApplianceUrl "https://your-conjur-appliance.com/api" -Account "conjur" -AuthToken "your-auth-token" -ExpiryMinutes 30ExpiryMinutesis optional and defaults to 30 minutes.
Use the Get-ConjurAuthToken function to authenticate and obtain an access token. This supports both JWT and API Key authentication methods.
$authToken = Get-ConjurAuthToken -ServiceID "your-service-id" -JWTToken "your-jwt-token"$authToken = Get-ConjurAuthToken -WorkloadID "your-WorkloadID" -ApiKey "your-api-key"The retrieved AuthToken will automatically update the session and reset the expiration time.
Retrieve a single secret using the Get-ConjurSecret function:
$secret = Get-ConjurSecret -SecretId "my/secret/id"Retrieve multiple secrets at once by providing an array of secret IDs to Get-ConjurSecretsBulk:
$secrets = Get-ConjurSecretsBulk -SecretIds @("secret/id/one", "secret/id/two")When finished, manually clear the session data to remove sensitive information from memory:
Clear-ConjurSessionUsing a session-based approach for storing authentication and connection information introduces security implications. Here are key considerations and recommendations:
| Implication | Description | Recommendation |
|---|---|---|
| Session Persistence | Sensitive data, including the AuthToken, remains in memory during the session. This provides convenience but poses a risk if the PowerShell session remains open and unattended. |
Always clear the session manually with Clear-ConjurSession when done, and avoid using this module in long-running, unattended sessions. |
| Session Expiration | Sessions expire after a set time (default is 30 minutes) to prevent indefinite access with stale tokens. | Set an appropriate expiration time based on your security needs using ExpiryMinutes in Initialize-ConjurSession. |
| Unauthorized Access | If another user gains access to the PowerShell session, they could potentially access stored tokens. | Limit access to the system, and use PowerShell’s ConstrainedLanguage mode to restrict unauthorized users in shared environments. |
| Memory Exposure | Sensitive session data stored in memory could be accessed if the host is compromised. | Secure the host machine and consider automatic session clearing or periodic re-authentication in high-security environments. |
| Audit Logging | This module does not log actions by default, which may complicate auditing. | Enable custom logging for critical actions as needed, depending on your organization’s audit requirements. |
Feel free to submit issues and pull requests. Please ensure code is formatted for readability and follows PowerShell best practices.
