Skip to content

cyberark/conjur-api-dotnet

BranchesTags

Repository files navigation

CyberArk Secrets Manager API for .NET

Programmatic .NET access to CyberArk Secrets Manager and Conjur OSS. This .NET SDK allows developers to build new apps in .NET that communicate with Secrets Manager by invoking our Secrets Manager API to perform operations on stored data (add, retrieve, etc)

Table of Contents

Using conjur-api-dotnet with Conjur Open Source

Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.

Requirements

  • CyberArk Secrets Manager, Self-Hosted; CyberArk Secrets Manager, Saas; or Conjur OSS
  • .NET 6.0 or later
  • When using the AWS Authenticator, CyberArk Secrets Manager, Self-Hosted v13+ or CyberArk Secrets Manager, SaaS (Conjur OSS was not tested)

Building

Visual Studio

To load in Visual Studio, from the Visual Studio File menu select Open > Project/Solution > api-dotnet.sln and build the solution. This will create:

  • conjur-api.dll: the .NET version of the Secrets Manager API.
  • ConjurTest.dll: test DLL used for automated testing of the Secrets Manager .NET API
  • example.exe: sample application that uses the Secrets Manager API.

Docker

To build in a Docker container, run the following commands:

make -C docker
./build.sh

Methods

Client

Client Client(uri, account)

  • Create new Secrets Manager instance
    • uri - URI of the Secrets Manager server. Example: https://myconjur.org.com/api
    • account - Name of the Secrets Manager account

void client.LogIn(string userName, string password)

  • Login to a Secrets Manager user
    • userName - Username of Secrets Manager user to login as
    • password - Password of user

void client.TrustedCertificates.ImportPem (string certPath)

  • Add Secrets Manager root certificate to system trust store
    • certPath = Path to cert

void client.DisableCertCheck()

  • Disable SSL Cert check -- used when Secrets Manager is configured with self-signed cert. Do not use in production.

void client.EnableCertCheck()

  • Enable SSL Cert check -- Default is to perform cert check; this method is used if there is a need to disable and enable the cert check.

client.Credential = new NetworkCredential(string userName, string apiKey)

  • To login with an API key, use it directly
    • userName - Username of user to login as
    • apiKey - API key of user/host/etc

IEnumerable<Variable> client.ListVariables(string query = null)

  • Returns a list of variable objects
    • query - Additional query parameters (not required)

uint client.CountVariables(string query = null)

  • Return count of Secrets Manager variables conforming to the query parameter
    • query - Additional query parameters (not required)

Host client.CreateHost(string name, string hostFactoryToken)

  • Creates a host using a host factory token
    • name - Name of the host to create
    • hostFactoryToken - Host factory token

client.Authenticator = new Conjur.AWSIAMAuthenticator(Conjur.Client client, string Identity, string Authenticator, string roleArn = "", string ConjurAWSRegion = "us-east-1")

  • REQUIREMENTS: CyberArk Secrets Manager, Self-Hosted v13+ or CyberArk Secrets Manager, SaaS (Conjur OSS was not tested)
  • Configure the client to use the AWS IAM Authenticator
    • Client must be instantiated with these attributes before instantiating the AWS authenticator:
      • ApplianceUri
      • Account
      • Example: var client = new Conjur.Client(conjurApiUri, conjurAccount);

Policy

Policy client.Policy(string policyName)

  • Create a Secrets Manager policy object
    • policyName - Name of policy

policy.LoadPolicy(Stream policyContent)

  • Load policy into Secrets Manager
    • policyContent - The policy

Variable

Variable client.Variable(string name)

  • Instantiate a Variable object
    • name - Name of the variable

Boolean variable.Check(string privilege)

  • Check if the current entity has the specified privilege on this variable
    • privilege - string name of the privilege to check for
      • Privileges: read, create, update, delete, execute

void variable.AddSecret(bytes val)

  • Change current variable to val
    • val - Value in bytes to update current variable to

String variable.GetValue()

  • Return the value of the current Variable

Examples

Example Code

// Instantiate a Conjur Client object.
//  parameter: URI - conjur appliance URI
//  parameter: ACCOUNT - conjur account name
//  return: Client object - if URI is incorrect errors thrown when used
Client conjurClient = new Client("https://myorg.com", account);

// Login with Conjur credentials like userid and password,
// or hostid and api_key, etc
//  parameters: username - conjur user or host id for example
//              password - conjur user password or host api key for example
string conjurAuthToken = conjurClient.Login(username, password);

// Check if this user has permission to get the value of variableId
// That requires execute permissions on the variable

// Instantiate a Variable object
//   parameters: client - contains authentication token and conjur URI
//               name - the name of the variable
Variable conjurVariable = new Variable(conjurClient, variableId);

// Check if the current user has "execute" privilege required to get
// the value of the variable
//   parameters: privilege - string name of the priv to check for
bool isAllowed = conjurVariable.Check("execute");
if (!isAllowed)
{
    Console.WriteLine("You do not have permissions to get the value of {0}", variableId);
}
else
{
    Console.WriteLine("{0} has the value: {1}", variableId, conjurVariable.GetValue());
}

Example App

This example app shows how to:

  • Authenticate
  • Load Policy
  • Check permissions to get the value of a variable
  • Get the value of a variable
  • Use a Host Factory token to create a new Host and get an apiKey to use with Conjur

To run the sample in Visual Studio, set the example project as the Startup Project. To do so, in the Solution Explorer right click over example and select Set as Startup Project.

Usage: Example  <applianceURL>
                <applianceCertificatePath>
                <accountName>
                <username>
                <password>
                <variableId>
                <hostFactoryToken>

applianceURL: the applianceURL e.g. https://conjur.myorg.com/

applianceCertificatePath: the path and name of the Secrets Manager appliance certificate. The easiest way to get the certifiate is to use the Secrets Manager CLI command conjur init -u <applianceURL> -a <accountName> which will save the cert to ~/conjur-server.pem. The certificate can be taken from any system you have run the Secrets Manager CLI from.

accountName: The name of the account in Secrets Manager.

username: Username of a user in Secrets Manager. Alternatively can be a hostname.

password: Password of a user in Secrets Manager. Alternatively can be a host apiKey.

variableId: The name of an existing variable in Secrets Manager that has a value set and for which the username has execute permissions.

hostFactoryToken: A host factory token. The easiest way to get a host factory token for testing is to add a hostfactory to a layer using the Secrets Manager CLI command conjur hostfactory create and conjur hostfactory token create. Take the token returned from that call and pass it as the hostFactoryToken parameter to this example.

Example Code with AWS Authenticator

This example code shows how to configure and use the AWS authenticator.

Note: The IAM role may need to have the AssumeRole permissions

// Assuming the conjur api dotnet code is `git clone`d, then 
// add a reference to it in your project:
// dotnet add conjapp.csproj reference ../conjur-api-dotnet/conjur-api/
using Conjur;

namespace ConjurApp
{
    internal class Program
    {
        public static void Main()
        {
            string roleArnToAssume = "arn:aws:iam::12345:role/MyIAMRole";
            string variableId = "data/vault/myapplication/mypasswordtype/password";

            string conjurApiUri = "https://conjur.example/api";
            string conjurAccount = "conjur";
            string conjurIdentity = "host/data/myhost/12345/MyIAMRole";
            string conjurAuthenticator = "authn-iam/myauthenticatorname";

            Conjur.Client conjurClient = new Conjur.Client(conjurApiUri, conjurAccount);

            conjurClient.Authenticator = new Conjur.AWSIAMAuthenticator(
                conjurClient,
                conjurIdentity,
                conjurAuthenticator,
                roleArnToAssume);

            Conjur.Variable conjurVariable = conjurClient.Variable(variableId);
            var value = conjurVariable.GetValue();
            Console.WriteLine("Variable - {0} = {1}", variableId, value);
        }
    }
}

Contributing

We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.

License

This repository is licensed under Apache License 2.0 - see LICENSE for more details.

About

.NET client for the CyberArk Secrets Manager API

Topics

core dotnet api-client conjur conjur-core conjbot-notify conjur-sdk

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

17 stars

Watchers

21 watching

Forks

12 forks
Report repository

Releases 10

v3.1.1 Latest
Sep 17, 2025
+ 9 releases

Packages

No packages published

Contributors 28
+ 14 contributors

Languages