Programmatic Golang access to the CyberArk Secrets Manager API.
This repo is a Community level project. It's a community contributed project that is not reviewed or supported by CyberArk. For more detailed information on our certification levels, see our community guidelines.
Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.
The conjur-api-go has been tested against the following Go versions:
- 1.24
- 1.25
go get github.com/cyberark/conjur-api-go/conjurapiThis example demonstrates how to retrieve a secret from Conjur.
Suppose there exists a variable db/secret with secret value fde5c4a45ce573f9768987cd. Create a Go program using conjur-api-go to fetch the secret value:
package main
import (
"os"
"fmt"
"github.com/cyberark/conjur-api-go/conjurapi"
"github.com/cyberark/conjur-api-go/conjurapi/authn"
)
func main() {
variableIdentifier := "db/secret"
config, err := conjurapi.LoadConfig()
if err != nil {
panic(err)
}
conjur, err := conjurapi.NewClientFromKey(config,
authn.LoginPair{
Login: os.Getenv("CONJUR_AUTHN_LOGIN"),
APIKey: os.Getenv("CONJUR_AUTHN_API_KEY"),
},
)
if err != nil {
panic(err)
}
// Retrieve a secret into []byte.
secretValue, err := conjur.RetrieveSecret(variableIdentifier)
if err != nil {
panic(err)
}
fmt.Println("The secret value is: ", string(secretValue))
// Retrieve a secret into io.ReadCloser, then read into []byte.
// Alternatively, you can transfer the secret directly into secure memory,
// vault, keychain, etc.
secretResponse, err := conjur.RetrieveSecretReader(variableIdentifier)
if err != nil {
panic(err)
}
secretValue, err = conjurapi.ReadResponseBody(secretResponse)
if err != nil {
panic(err)
}
fmt.Println("The secret value is: ", string(secretValue))
}Build and run the program:
$ export CONJUR_APPLIANCE_URL=https://eval.conjur.org
$ export CONJUR_ACCOUNT=myorg
$ export CONJUR_AUTHN_LOGIN=mylogin
$ export CONJUR_AUTHN_API_KEY=myapikey
$ go run main.go
The secret value is: fde5c4a45ce573f9768987cdConnecting to CyberArk Secrets Manager requires two steps:
- Configuration - Specify the CyberArk Secrets Manager endpoint and connection security settings
- Authentication - Provide credentials for authentication
The Conjur Go API supports three credential storage options, configurable via the CredentialStorage field in the Config struct:
conjurapi.CredentialStorageKeyring- Stores credentials in the system keyring (default when available). This is the most secure option for desktop environments.conjurapi.CredentialStorageFile- Stores credentials in a.netrcfile (default when keyring is not available). The.netrcfile location can be customized using theNetRCPathconfig field.conjurapi.CredentialStorageNone- Does not store credentials. Use this option in environments where there are no file permissions to create a.netrcfile, such as restricted containers, read-only filesystems, or ephemeral compute instances.
Note: If no credential storage is specified, the API will automatically select
CredentialStorageKeyringif available, otherwise it will default toCredentialStorageFile.
config := conjurapi.Config{
ApplianceURL: "https://conjur.example.com",
Account: "myorg",
CredentialStorage: conjurapi.CredentialStorageNone,
}
conjur, err := conjurapi.NewClientFromKey(config,
authn.LoginPair{
Login: "mylogin",
APIKey: "myapikey",
},
)The Quick Start example above demonstrates API key authentication using NewClientFromKey(). This is the most common authentication method for legacy applications.
You can authenticate using JWT tokens via environment variables. This method is useful for containerized environments and CI/CD pipelines and is more secure than using API keys.
CONJUR_APPLIANCE_URL- The URL of your Conjur instanceCONJUR_ACCOUNT- Your Conjur account nameCONJUR_AUTHN_JWT_SERVICE_ID- The JWT authenticator service IDCONJUR_AUTHN_JWT_TOKEN- The JWT tokenCONJUR_SECRET_ID- The identifier of the secret to retrieve
package main
import (
"fmt"
"log"
"os"
"github.com/cyberark/conjur-api-go/conjurapi"
)
func checkEnvironmentVariables() error {
variables := []string{
"CONJUR_APPLIANCE_URL",
"CONJUR_ACCOUNT",
"CONJUR_AUTHN_JWT_SERVICE_ID",
"CONJUR_AUTHN_JWT_TOKEN",
"CONJUR_SECRET_ID",
}
for _, variable := range variables {
if os.Getenv(variable) == "" {
return fmt.Errorf("environment variable %s is not set", variable)
}
}
return nil
}
func main() {
// Check for required environment variables
if err := checkEnvironmentVariables(); err != nil {
log.Fatalf("%v", err)
}
// Get the secret ID to retrieve
variableIdentifier := os.Getenv("CONJUR_SECRET_ID")
// Load configuration from environment variables
config, err := conjurapi.LoadConfig()
if err != nil {
log.Fatalf("Cannot load configuration: %s", err)
}
// Create a new Conjur client using environment variables
conjur, err := conjurapi.NewClientFromEnvironment(config)
if err != nil {
log.Fatalf("Cannot create client: %s", err)
}
// Retrieve the secret value from Conjur
secretValue, err := conjur.RetrieveSecret(variableIdentifier)
if err != nil {
log.Fatalf("Cannot retrieve secret %s: %s", variableIdentifier, err)
}
// Print the secret value to stdout
fmt.Printf("%s", string(secretValue))
}We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.
Copyright (c) 2022-2025 CyberArk Software Ltd. All rights reserved.
This repository is licensed under Apache License 2.0 - see LICENSE for more details.