cyberark.password_lookup_plugin

Panoramica Versioni Approfondimenti

CyberArk Password Plugin

=====================

The CyberArk password lookup plugin retrieves credentials from the CyberArk Digital Vault using AIM.

For Ansible on Windows, remember to switch the -parameters (-p, -d, and -o) to the Windows format /parameters (/p, /d, and /o). You'll also need to adjust the location of CLIPasswordSDK.exe.

Note: If this plugin isn’t included in the core Ansible, update your ansible.cfg file to add the following path under lookup_plugins: /etc/ansible/roles/cyberark.cyberark_password_lookup_plugin/lookup_plugins

Requirements

  • CyberArk Application Identity Manager (AIM) Credential Provider on the Ansible server.
  • CyberArk AIM should be installed, and the path /opt/CARKaim/sdk/clipasswordsdk should be set, or define the environment variable AIM_CLIPASSWORDSDK_CMD to point to the AIM CLI Password SDK executable.

Plugin Usage

To use the plugin, you can write:

{{ lookup("cyberarkpassword", {"appid": "app_ansible", "query": "safe=CyberArk_Passwords;folder=root;object=AdminPass",
                               "output": "Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess"}) }}

OR in YAML format:

with_cyberarkpassword:
  appid: 'app_ansible'
  query: 'safe=CyberArk_Passwords;folder=root;object=AdminPass'
  output: 'Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess'

Plugin Arguments

  • appid (str): This is the unique ID of the application making the password request.
  • query (str): This specifies the criteria for selecting the password.
  • output (str): This lists the output fields you want, separated by commas. Possible values are: Password, PassProps.<property>, PasswordChangeInProcess.

You can also include extra parameters recognized by clipasswordsdk (like FailRequestOnPasswordChange, Queryformat, Reason, etc.).

Plugin Return

  • dict: This will return a dictionary with the key 'password' for the credential, along with passprops.<property> and passwordchangeinprocess.

If the requested property doesn’t exist, it will return <na>. If the property value is empty, it will return <null>.

For additional parameter values, refer to the parameters for clipasswordsdk in CyberArk's "Credential Provider and ASCP Implementation Guide."

Example Playbook

Here’s an example playbook for retrieving credentials from the CyberArk Digital Vault using the CyberArk password lookup plugin:

---
- hosts: localhost

  tasks:
    - debug:
        msg: '{{ item }}'
      with_cyberarkpassword:
        appid: 'app_ansible'
        query: 'safe=CyberArk_Passwords;folder=root;object=AdminPass'
        output: 'Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess'

    - debug:
        msg: '{{ lookup("cyberarkpassword", {"appid": "app_ansible", "query": "safe=CyberArk_Passwords;folder=root;object=AdminPass", "output": "Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess"}) }}'

License

MIT

Author Information

Informazioni sul progetto

cyberarkpassword lookup plugin to retrieve credentials from Cyberark digital Vault using AIM.

role cyberark identity password privileged vault
Installa
ansible-galaxy install cyberark.password_lookup_plugin
GitHub repository
18 stelle
6 fork
2 problemi aperti
Licenza
mit
Download
1.4k
Proprietario
CyberArk
CyberArk, the undisputed leader in Privileged Account Security, secures secrets used by machines and users to protect traditional and cloud-native apps.