modules

cyberark_modules

Role to add CyberArk modules -- If not available from ansible core, or to get the latest.

Requirements

  • CyberArk Privileged Account Security Web Services SDK.
  • CyberArk AIM Central Credential Provider

Role Variables

None.

Provided Modules

  • cyberark_authentication: Module for CyberArk Vault Authentication using Privileged Account Security Web Services SDK
  • cyberark_user: Module for CyberArk User Management using Privileged Account Security Web Services SDK
  • cyberark_credential: Module for CyberArk credential retrieval using Cyberark Central Credential Provider.

NOTE: For access to the cyberark_credential functionality, the library/cyberark_credential.py file will need to be added to the Ansible modules directory of the Ansible server.

Example Playbook

  1. Example playbook showing the use of cyberark_authentication module for logon and logoff without using shared logon authentication.
---
- hosts: localhost

  roles:

    - role: cyberark.modules

  tasks:

    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark_authentication:
        api_base_url: "https://components.cyberark.local"
        validate_certs: no
        username: "testuser"
        password: "Cyberark1"


    - name: Debug message
      debug:
        var: cyberark_session


    - name: Logoff from CyberArk Vault
      cyberark_authentication:
        state: absent
        cyberark_session: "{{ cyberark_session }}"

    - name: Debug message
      debug: var=cyberark_session
  1. Example playbook showing the use of cyberark_user module to create a user.
---
- hosts: localhost

  roles:

    - role: cyberark.modules

  tasks:

    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark_authentication:
        api_base_url: "https://components.cyberark.local"
        validate_certs: false
        use_shared_logon_authentication: true

    - name: Debug message
      debug:
        var: cyberark_session

    - name: Create User
      cyberark_user:
        username: "testuser2"
        initial_password: "Cyberark1"
        user_type_name: "EPVUser"
        change_password_on_the_next_logon: false
        group_name: "TestGroup"
        state: present
        cyberark_session: "{{ cyberark_session }}"
      register: cyberarkaction

    - debug: msg="{{cyberarkaction.cyberark_user.result}}"
      when: cyberarkaction.status_code == 201

    - name: Logoff from CyberArk Vault
      cyberark_authentication:
        state: absent
        cyberark_session: "{{ cyberark_session }}"

    - name: Debug message
      debug: var=cyberark_session
  1. Example playbook showing the use of cyberark_user module to reset's a user credential.
---
- hosts: localhost

  roles:

    - role: cyberark.modules

  tasks:

    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark_authentication:
        api_base_url: "https://components.cyberark.local"
        validate_certs: false
        use_shared_logon_authentication: true

    - name: Debug message
      debug:
        var: cyberark_session

    - name: Reset user credential
      cyberark_user:
        username: "testuser2"
        new_password: "Cyberark123"
        disabled: false
        state: present
        cyberark_session: "{{ cyberark_session }}"
      register: cyberarkaction

    - debug: msg="{{cyberarkaction.cyberark_user.result}}"
      when: cyberarkaction.status_code == 200

    - name: Logoff from CyberArk Vault
      cyberark_authentication:
        state: absent
        cyberark_session: "{{ cyberark_session }}"

    - name: Debug message
      debug: var=cyberark_session
  1. Example playbook showing the use of cyberark_user module to add user to a group (only during creation).
---
- hosts: localhost

  roles:

    - role: cyberark.modules

  tasks:

    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark_authentication:
        api_base_url: "https://components.cyberark.local"
        validate_certs: false
        use_shared_logon_authentication: true

    - name: Debug message
      debug:
        var: cyberark_session

    - name: Add user to group
      cyberark_user:
        username: "testuser2"
        initial_password: "Cyberark1"
        group_name: "TestGroup"
        state: present
        cyberark_session: "{{ cyberark_session }}"
      register: cyberarkaction

    - debug: msg="{{cyberarkaction}}"

    - name: Logoff from CyberArk Vault
      cyberark_authentication:
        state: absent
        cyberark_session: "{{ cyberark_session }}"

    - name: Debug message
      debug: var=cyberark_session
  1. Example playbook showing the use of cyberark_user module to delete a user.
---
- hosts: localhost

  roles:

    - role: cyberark.modules

  tasks:

    - name: Logon to CyberArk Vault using PAS Web Services SDK
      cyberark_authentication:
        api_base_url: "https://components.cyberark.local"
        validate_certs: false
        use_shared_logon_authentication: true

    - name: Debug message
      debug:
        var: cyberark_session

    - name: Remove  User
      cyberark_user:
        username: "testuser2"
        state: absent
        cyberark_session: "{{ cyberark_session }}"
      register: cyberarkaction

    - debug: msg="{{cyberarkaction}}"

    - name: Logoff from CyberArk Vault
      cyberark_authentication:
        state: absent
        cyberark_session: "{{ cyberark_session }}"

    - name: Debug message
      debug: var=cyberark_session
  1. Example of a basic playbook showing the minimum needed to use the cyberark_credential module for retrieval of credentials using the Central Credential Provider.
---
- hosts: localhost

  tasks:

    - name: credential retrieval basic
      cyberark_credential:
        api_base_url: "http://10.10.0.1"
        app_id: "TestID"
        query: "Safe=test;UserName=admin"
      register: {{ result }}
      no_log: true


    - name: Debug message
      debug: 
        var: {{ result }}
  1. Example of a more advanced playbook outlining the use of all of the parameters available when using the cyberark_credential module for retrieval of credentials using the Central Credential Provider.
---
- hosts: localhost
    
  tasks:

    - name: credential retrieval advanced
      cyberark_credential:
        api_base_url: "https://components.cyberark.local"
        validate_certs: yes
        client_cert: /etc/pki/ca-trust/source/client.pem
        client_key: /etc/pki/ca-trust/source/priv-key.pem
        app_id: "TestID"
        query: "Safe=test;UserName=admin"
        connection_timeout: 60
        query_format: Exact
        fail_request_on_password_change: True
        reason: "requesting credential for Ansible deployment"
      register: {{ result }}
      no_log: true


    - name: Debug message
      debug: 
        var: {{ result }}

License

MIT

Author Information

About

CyberArk Ansible Modules for Authentication, User Management, and Credential Retrieval using AIM Central Credential Provider's REST API.

Install
ansible-galaxy install cyberark/ansible-modules
GitHub repository
License
mit
Downloads
2232
Owner
CyberArk, the undisputed leader in Privileged Account Security, secures secrets used by machines and users to protect traditional and cloud-native apps.