-
Notifications
You must be signed in to change notification settings - Fork 39
/
cyberark_credential.md
127 lines (113 loc) · 4.34 KB
/
cyberark_credential.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# cyberark_credential
Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID.
**Requirements:**
- CyberArk AAM Central Credential Provider
- ApplicationID with the following permissions on the safe containing the credential being requested:
- List Accounts
- Retrieve Accounts
> **NOTE:** The CCP's Provider user (Prov_hostaname) needs to have the following permissions on the safe containing the credential being requested:
>> List Accounts<br>
>> Retrieve Accounts<br>
>> View Safe Members<br>
## Query
This field is semicolon delimited value that is the exact syntax that goes in the URI<br>
If you use the `object` parameter then there is no need to use any other parameter as the ObjectID is a unique value.<br>
**Example:**
```
query: "Safe=test;UserName=admin"
OR
query: "Object=OperatingSystem-administrator-dev.local"
```
## Available Fields
```
options:
api_base_url:
description:
- A string containing the base URL of the server hosting the Central Credential Provider
required: true
type: string
validate_certs:
description:
- If C(false), SSL certificate chain will not be validated. This should only set to C(true) if you have a root CA certificate installed on each node.
type: bool
required: false
default: false
type: bool
app_id:
description:
- A string containing the Application ID authorized for retrieving the credential
required: true
type: string
query:
description:
- A string containing details of the object being queried
required: true
parameters:
Safe=<safe name>
Folder=<folder name within safe>
Object=<object name>
UserName=<username of object>
Address=<address listed for object>
Database=<optional file category for database objects>
PolicyID=<platform id managing object>
connection_timeout:
description:
- An integer value of the allowed time before the request returns failed
required: false
default: '30'
type: integer
query_format:
description:
- The format for which your Query will be received by the CCP
required: false
default: 'Exact'
choices: [Exact, Regexp]
type: choice
fail_request_on_password_change:
description:
- A boolean parameter for completing the request in the middle of a password change of the requested credential
required: false
default: false
type: bool
client_cert:
description:
- A string containing the file location and name of the client certificate used for authentication
required: false
type: string
client_key:
description:
- A string containing the file location and name of the private key of the client certificate used for authentication
required: false
type: string
reason:
description:
- Reason for requesting credential if required by policy
required: false
type: string
```
## Example Playbooks
```yaml
- name: credential retrieval basic
cyberark_credential:
api_base_url: "http://10.10.0.1"
app_id: "TestID"
query: "Safe=test;UserName=admin"
register: result
result:
{ api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }
- name: credential retrieval advanced
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: true
client_cert: /etc/pki/ca-trust/source/client.pem
client_key: /etc/pki/ca-trust/source/priv-key.pem
app_id: "TestID"
query: "Safe=test;UserName=admin"
connection_timeout: 60
query_format: Exact
fail_request_on_password_change: true
reason: "requesting credential for Ansible deployment"
register: result
result:
{ api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }"&ConnectionTimeout="{ connection_timeout }"&QueryFormat="{ query_format }"&FailRequestOnPasswordChange="{ fail_request_on_password_change }
```