conjur-api-go icon indicating copy to clipboard operation
conjur-api-go copied to clipboard
verified publisher icon cyberark

Conjur attempts to create .netrc file

Open HauserV opened this issue 4 months ago • 3 comments

Summary

https://github.com/cyberark/conjur-api-go/commit/a5397958396aea17d0ffb9cb60419bd6b988bf78 added logic to create .netrc file if it doesn't exist. This breaks our GitLab CI/CD pipelines which run on K8S runners with read-only filesystems.

Steps to Reproduce

Run conjur-summon with configuration provided via environment variables with a read-only $HOME.

Expected Results

The utility should fetch secrets just as it did in 0.8.0.

Actual Results

level=error msg="Failed creating a Conjur client: failed to ensure .netrc file exists: open /home/cloud/.netrc: read-only file system\n"

Reproducible

  • [x] Always
  • [ ] Sometimes
  • [ ] Non-Reproducible

Version/Tag number

v0.13.2

Environment setup

  • Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud? GitLab K8S runner

  • Which cloud provider? Which container orchestrator (including version)? AWS, K8S, version unknown

  • The more info you can share about your runtime environment, the better we may be able to reproduce the issue. Read-only $HOME suffices.

Additional Information

N/A

HauserV avatar Aug 18 '25 16:08 HauserV

As a workaround, I've pointed the .netrc path to /dev/null (echo "netrc_path: /dev/null" > .conjurrc) but it feels quite hacky.

HauserV avatar Aug 19 '25 15:08 HauserV

Another workaround would be to add "credential_storage: none" to your .conjurrc file or set the environment variable "CONJUR_CREDENTIAL_STORAGE" to "none". Can you please try these and confirm it works?

szh avatar Aug 25 '25 13:08 szh

We're going to update the documentation to make this use case clearer. Thank you for your report. Tracking internally as CNJR-10891.

szh avatar Aug 25 '25 15:08 szh