cyberark.pas.cyberark_account – Module for CyberArk Account object creation, deletion, and modification using PAS Web Services SDK.
Note
This plugin is part of the cyberark.pas collection (version 1.0.13).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cyberark.pas
.
To use it in a playbook, specify: cyberark.pas.cyberark_account
.
New in version 2.4: of cyberark.pas
Synopsis
Creates a URI for adding, deleting, modifying a privileged credential within the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK.
Parameters
Parameter |
Comments |
---|---|
The address of the endpoint where the privileged account is located. |
|
A string containing the base URL of the server hosting CyberArk’s Privileged Account Security Web Services SDK. Example https://<IIS_Server_Ip>/PasswordVault/api/ |
|
Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session. |
|
When an API call is made to Get Accounts, often times the default parameters passed will identify more than one account. This parameter is used to confidently identify a single account when the default query can return multiple results. Default: “username,address,platform_id” |
|
Setting the log file name and location for troubleshooting logs. Default: “/tmp/ansible_cyberark.log” |
|
Parameter used to define the level of troubleshooting output to the Choices:
|
|
The ObjectID of the account |
|
The new secret/password to be stored in CyberArk Vault. |
|
Object containing key-value pairs to associate with the account, as defined by the account platform. These properties are validated against the mandatory and optional properties of the specified platform’s definition. Optional properties that do not exist on the account will not be returned here. Internal properties are not returned. |
|
Freeform key value associated to the mandatory or optional property assigned to the specified Platform’s definition. |
|
The PolicyID of the Platform that is to be managing the account |
|
Set of parameters for defining PSM endpoint access targets. |
|
Whether or not to restrict access only to specified remote machines. Choices:
|
|
List of targets allowed for this account. |
|
The safe in the Vault where the privileged account is to be located. |
|
The initial password for the creation of the account |
|
Set of parameters associated with the management of the credential. |
|
Parameter that indicates whether the CPM will manage the password or not. Choices:
|
|
CPM action flag to be placed on the account object for credential rotation. Choices:
|
|
String value indicating why the CPM will NOT manage the password. |
|
The actual password value that will be assigned for the CPM action to be taken. |
|
Choices:
|
|
The value that identifies what type of account it will be. Choices:
|
|
Assert the desired state of the account Choices:
|
|
The username associated with the account. |
|
If Choices:
|
Examples
collections:
- cyberark.pas
tasks:
- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark_authentication:
api_base_url: "http://components.cyberark.local"
validate_certs: no
username: "bizdev"
password: "Cyberark1"
- name: Creating an Account using the PAS WebServices SDK
cyberark_account:
logging_level: DEBUG
identified_by: "address,username"
safe: "Test"
address: "cyberark.local"
username: "administrator-x"
platform_id: WinServerLocal
secret: "@N&Ibl3!"
platform_account_properties:
LogonDomain: "cyberark"
OwnerName: "ansible_user"
secret_management:
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction
- name:
- Rotate credential via reconcile and providing the password to
bechanged to.
cyberark_account:
identified_by: "address,username"
safe: "Domain_Admins"
address: "prod.cyberark.local"
username: "admin"
platform_id: WinDomain
platform_account_properties:
LogonDomain: "PROD"
secret_management:
new_secret: "Ama123ah12@#!Xaamdjbdkl@#112"
management_action: "reconcile"
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: reconcileaccount
- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
cyberark_session: "{{ cyberark_session }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Identify if the playbook run resulted in a change to the account in any way. Returned: always |
|
Whether playbook run resulted in a failure of any kind. Returned: always |
|
A json dump of the resulting action. Returned: success |
|
The adress of the endpoint where the privileged account is located. Returned: successful addition and modification Sample: “dev.local” |
|
Timeframe calculation of the timestamp of account creation. Returned: successful addition and modification Sample: “1567824520” |
|
Internal ObjectID for the account object identified Returned: successful addition and modification Sample: “25_21” |
|
The external ObjectID of the account Returned: successful addition and modification Sample: [“Operating System-WinServerLocal-cyberark.local-administrator”] |
|
Object containing key-value pairs to associate with the account, as defined by the account platform. Returned: successful addition and modification |
|
Object containing key-value pairs to associate with the account, as defined by the account platform. Returned: successful addition and modification Sample: [{“LogonDomain”: “cyberark”}, {“Port”: “22”}] |
|
The PolicyID of the Platform that is to be managing the account. Returned: successful addition and modification Sample: “WinServerLocal” |
|
The safe in the Vault where the privileged account is to be located. Returned: successful addition and modification Sample: “Domain_Admins” |
|
Set of parameters associated with the management of the credential. Returned: successful addition and modification Sample: {“automaticManagementEnabled”: {“description”: [“Parameter that indicates whether the CPM will manage the password or not.”], “returned”: “successful addition and modification”, “type”: “bool”}, “lastModifiedTime”: {“description”: [“Timeframe calculation of the timestamp of account modification.”], “returned”: “successful addition and modification”, “sample”: “1567824520”, “type”: “int”}, “manualManagementReason”: {“description”: null, “returned”: “if C(automaticManagementEnabled) is set to false”, “sample”: “This is a static account”, “type”: “str”}} |
|
The value that identifies what type of account it will be Returned: successful addition and modification Sample: [“key”, “password”] |
|
The username associated with the account Returned: successful addition and modification Sample: “administrator” |
|
Result HTTP Status code. Returned: success Sample: “200, 201, -1, 204” |
Authors
CyberArk BizDev (@cyberark-bizdev)
Edward Nunez (@enunez-cyberark)
James Stutes (@jimmyjamcabd)