This section describes YAML syntax as it relates to Conjur policy. For more information about YAML files in general, seeYAML specification.
Conjur policy files are YAML files. They must have a file extension of
Nodes and indentation (no tabs!)
Policy files consist of nodes.
The syntax for the start of a node is
- !tagname, for example,
Each node starts with a dash (hyphen) and a space
Nodes can include child nodes; indentation indicates scope
- !policy id: my-policy body: - !layer - !host owner: !layer id: my-host-1 - !host owner: !layer id: my-host-2
A tag is an explicit type and is indicated with an exclamation mark. For example:
!policyindicates a resource record of kind
policyand a role record of kind
!userindicates a resource record of kind
userand a role record of kind
!grantindicates a record of kind
This Policy Statement Reference describes all of the valid tags in Conjur policy.
Tags must be used at the beginning of a node to define the type of node.
The space between the dash and the exclamation point of the tag is required.
There must NOT be a space between the exclamation point and the tag name.
Tags are also used within the value part of a
key: valuepair, to define the type of value being supplied.
- !policy my-policy owner: !group admins
A node can contain mappings. A mapping is a
key: value pair.
Always include a space after the colon in a
key: value pair.
- !policy owner: !group admins id: my-host-1
A mapping node consists of a key followed by a colon, with one or more unordered
key: value pairs on separate lines. In the following example,
annotations: is the key marking the start of the mapping node.
The key-value pairs in a mapping node must be indented consistently under the mapping node name.
- !user id: bob annotations: name: Bob Green email: firstname.lastname@example.org dept: Org-2
# character for comments. Comments can appear on the same line as other elements or on a line of their own. A
comment line is independent of any indentation levels.
#admin user - !user id: bob annotations: name: Bob Green #admin user email: email@example.com dept: Org-2
A collection of nodes of the same type can increase readability of your policy. The tag for a collection node starts with the "&" rather than the "!". The tag itself is plural. The members of the collection are indented under it.
- !policy id: frontend body: - &variables - !variable ssl/private_key - !variable ssl/certificate