This step template allows a workload running in Octopus Deploy or Octopus Server to authenticate with Conjur and retrieve secrets from Conjur variables, making them available as sensitive output variables in a deployment process.
This repo is a Certified level project. It's been reviewed by CyberArk to verify that it will securely work with CyberArk Enterprise as documented. In addition, CyberArk offers Enterprise-level support for these features. For more detailed information on our certification levels, see our community guidelines.
- Octopus Deploy or Octopus Server 2025.1 and later
- Conjur Open Source, Enterprise, or Cloud
This step template is designed to authenticate workloads running in Octopus Deploy/Octopus Server by leveraging the Generic OIDC Account feature. This exposes a JWKS endpoint and makes a signed JWT credential available to individual workloads when the account is added to the deployment process as a variable.
NOTE: If using Octopus Server, there may be additional configuration required to expose the JWKS endpoint. Alternatively,
you can use the public-keys authenticator variable if Conjur cannot establish connectivity to this endpoint.
- Create the Generic OIDC Account
- Navigate to: Manage > Accounts > Add Account > Generic OIDC
- Configure the account (example values provided below)
- Name:
Conjur Account - Description:
Issues tokens for workload authentication to Conjur - Subject Claim:
space, project, environment(default, recommended to include at least these three identifiers) - Audience:
conjur
- Name:
- Save the account
- Add the Generic OIDC Account to a deployment process as a variable
- Navigate to: Projects > Your Project > Project variables
- Add a new variable referencing the account created in step 1: Enter Value > Change Type > Generic OIDC Account > Conjur Account
- Save the project variables
At runtime, the Octopus server will issue a JWT to represent the workload based on the configuration above. Make note of the
expected aud, iss, and sub values in order configure the JWT authenticator and host identity in Conjur. If using the example
values from above it may look like:
{
"aud": "conjur",
"iss": "https://mycompany.octopus.app",
"exp": 1745511648,
"iat": 1745508048,
"nbf": 1745508048,
"jti": "4d32d71c71c54f2f8d6cfab506b73981",
"sub": "space:default:project:get-secrets:environment:development"
}NOTE: By default, Octopus includes space, project, and environment in the JWT subject, as in the example token above. It is recommended to include at least these three fields to ensure each Octopus workload will have a unique subject identifier. This allows Conjur to enforce fine-grained access control based on host identity.
- !policy
id: conjur/authn-jwt/octopus
body:
- !webservice
# Authenticator variables
- !variable jwks-uri
- !variable issuer
- !variable token-app-property
- !variable identity-path
# Group of applications that can authenticate using this JWT Authenticator
- !group authenticatable
- !permit
role: !group authenticatable
privilege: [ read, authenticate ]
resource: !webservice- !policy
id: octopus-apps
body:
- !group
- &hosts
- !host
id: space:default:project:get-secrets:environment:development # Replace with the expected `sub` value from the JWT
annotations:
authn-jwt/octopus/sub: space:default:project:get-secrets:environment:development
# Add additional hosts as needed
- !grant
role: !group
members: *hosts
# Allow octopus-apps group to use the authenticator
- !grant
role: !group authn-jwt/octopus/authenticatable
members: !group octopus-appsIt is recommended to retrieve the step template from the Community step template library.
| Field | Variable Name | Input Type & Default | Required | Example Value | Description |
|---|---|---|---|---|---|
| Secrets Manager URL | CyberArk.SecretsManager.Url |
Single-line text box | Yes | https://conjur.mycompany.com |
Base URL for the Conjur server (add /api for Conjur Cloud) |
| Authenticator Service ID | CyberArk.SecretsManager.ServiceId |
Single-line text box (default=octopus) |
No | octopus |
Service ID of the JWT authenticator instance |
| Secrets Manager Account | CyberArk.SecretsManager.Account |
Single-line text box (default=conjur) |
No | conjur |
Conjur account specified during configuration (only for OSS/Enterprise) |
| OIDC Account | CyberArk.SecretsManager.Jwt |
Generic OIDC Account | Yes | #{token-account} |
Octopus variable referencing the configured Generic OIDC Account |
| Secrets Manager Variables | CyberArk.SecretsManager.Variables |
Multi-line text box | Yes | secrets/db/username | db_usernamesecrets/db/host |
Multiline input of Conjur variable IDs and optional output variable names. If none is provided, the Conjur variable ID will be used as output. |
| Trusted Server Certificate | CyberArk.SecretsManager.Certificate |
Multi-line text box | No | -----BEGIN CERTIFICATE-----MIIDdTCC...-----END CERTIFICATE----- |
Provide a custom server certificate to trust TLS connection with Conjur (e.g., self-signed certs). |
| Print Output Variable Names | CyberArk.SecretsManager.PrintVariableNames |
Checkbox (default=false) |
No | False |
Whether to log the output variable names after execution. |
Sensitive output variables will be populated based on the Variable IDs and optional output variable names provided during configuration. They can be retrieved in subsequent deployment steps using the following methods:
$OctopusParameters["Octopus.Action[CyberArk Secrets Manager - Retrieve Secrets (JWT)].Output.custom_output_variable_name"]
$OctopusParameters["Octopus.Action[CyberArk Secrets Manager - Retrieve Secrets (JWT)].Output.data/secrets/db/username"]$(get_octopusvariable "Octopus.Action[CyberArk Secrets Manager - Retrieve Secrets (JWT)].Output.custom_output_variable_name")
$(get_octopusvariable "Octopus.Action[CyberArk Secrets Manager - Retrieve Secrets (JWT)].Output.data/secrets/db/username")get_octopusvariable("Octopus.Action[CyberArk Secrets Manager - Retrieve Secrets (JWT)].Output.custom_output_variable_name")
get_octopusvariable("Octopus.Action[CyberArk Secrets Manager - Retrieve Secrets (JWT)].Output.data/secrets/db/username")- If multiple secrets are mapped to the same output variable the last secret will be used, with any previous secrets being overwritten.
- If one secret is inaccessible or doesn't exist, the step will fail and no secrets will be retrieved. This is due to the all-or-nothing nature of the batch retrieval endpoint.
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.
Please open an issue in this repository for any questions or issues you may have. For general support, please visit the CyberArk Commons forum.
Note: Only the CyberArk GitHub repository is actively monitored. Issues opened on the version mirrored to Octopus Deploy's Step Template Library will not be addressed.
Copyright (c) 2025 CyberArk Software Ltd. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
For the full license text see LICENSE.