cyberark.pas.cyberark_credential module – Credential retrieval using AAM Central Credential Provider.
Note
This module is part of the cyberark.pas collection (version 1.0.14).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cyberark.pas
.
To use it in a playbook, specify: cyberark.pas.cyberark_credential
.
New in version 2.4: of cyberark.pas
Synopsis
Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID.
Parameters
Parameter |
Comments |
---|---|
A string containing the base URL of the server hosting the Central Credential Provider. |
|
A string containing the Application ID authorized for retrieving the credential. |
|
A string containing the file location and name of the client certificate used for authentication. |
|
A string containing the file location and name of the private key of the client certificate used for authentication. |
|
An integer value of the allowed time before the request returns failed. Default: “30” |
|
A boolean parameter for completing the request in the middle of a password change of the requested credential. Choices:
|
|
A string containing details of the object being queried; Possible parameters could be Safe, Folder, Object (internal account name), UserName, Address, Database, PolicyID. |
|
The format for which your Query will be received by the CCP. Choices:
|
|
Reason for requesting credential if required by policy; It must be specified if the Policy managing the object requires it. |
|
If Choices:
|
Examples
tasks:
- name: credential retrieval basic
cyberark_credential:
api_base_url: "http://10.10.0.1"
app_id: "TestID"
query: "Safe=test;UserName=admin"
register: result
- name: credential retrieval advanced
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: yes
client_cert: /etc/pki/ca-trust/source/client.pem
client_key: /etc/pki/ca-trust/source/priv-key.pem
app_id: "TestID"
query: "Safe=test;UserName=admin"
connection_timeout: 60
query_format: Exact
fail_request_on_password_change: True
reason: "requesting credential for Ansible deployment"
register: result
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Identify if the playbook run resulted in a change to the account in any way. Returned: always |
|
Whether playbook run resulted in a failure of any kind. Returned: always |
|
A json dump of the resulting action. Returned: success |
|
The target address of the credential being queried Returned: if required |
|
The password for the object being queried Returned: always |
|
A description of why this vaulted credential is not being managed by the CPM. Returned: if CPM management is disabled and a reason is given |
|
This is how the object was created in the Vault Returned: always |
|
An internal File Category for more granular management of Platforms. Returned: always |
|
The folder within the Safe where the credential is stored. Returned: always |
|
The Address friendly name resolved by the CPM Returned: if populated |
|
The Cyberark unique object ID of the credential being queried. Returned: always |
|
If the password has a change flag placed by the CPM Returned: always |
|
Whether or not SSL certificates should be validated. Returned: if assigned to a policy |
|
The safe where the queried credential is stored Returned: always |
|
The username of the credential being queried Returned: if required |
|
Result HTTP Status code. Returned: success Sample: “200, 201, -1, 204” |
Authors
Edward Nunez (@enunez-cyberark)
CyberArk BizDev (@cyberark-bizdev)
Erasmo Acosta (@erasmix)
James Stutes (@JimmyJamCABD)