Adding support to retrieve password using the PAS Web Services SDK

[JtMotoX]

Desired Outcome

Allow retrieving passwords using the cyberark_account module which uses the PAS Web Services SDK.

Implemented Changes

Added a 'retrieve' option to the state parameter.

- name: Retrieve account and password
  cyberark.pas.cyberark_account:
    identified_by: "address,username"
    safe: "Domain_Admins"
    address: "prod.cyberark.local"
    username: "admin"
    state: retrieve
    cyberark_session: "{{ cyberark_session }}"
  register: retrieveaccount

Example output (notice the password value is returned in the result):

ok: [localhost] => {
    "retrieve_account": {
        "attempts": 1,
        "changed": false,
        "failed": false,
        "result": {
            "address": "...",
            "categoryModificationTime": ...,
            "createdTime": ...,
            "id": "...",
            "name": "...",
            "password": "...",
            "platformAccountProperties": {},
            "platformId": "...",
            "safeName": "...",
            "secretManagement": {
                "automaticManagementEnabled": ...,
                "lastModifiedTime": ...
            },
            "secretType": "...",
            "userName": "..."
        },
        "status_code": 200
    }
}

Connected Issue/Story

CyberArk Enhancement Request Article Number: 000038582

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: [insert issue ID]
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[infamousjoeg]

I approve these changes. However, I think it’s important to note to the final person who will merge this PR into the main code base that this is an implementation of a REST API Retrieval of a Password directly from the Vault. Technically, this is a sound contribution. Security-wise, I leave it up to future reviewers.

[JtMotoX]

Thanks. We are planning on using conjur to lookup secrets within all of our automation, however, we are creating some automation that will perform the password reset. This password reset automation needs to be able to retrieve directly from CyberArk. A simple example of our automation is as follows: Note: This is to rotate the password that is responsible for Artifactory ldap authentication 1) Retrieve CyberArk user credentials via Conjur 2) Authenticate to CyberArk with your ansible module 3) Trigger a password rotation (reconcile) of our ldap account using your ansible module 4) Retrieve the newly generated password <- This is what we are needing 5) Update Artifactory ldap configuration with new password <- We cannot do this without retrieving the new password

[cyberark-bizdev]

Approved