community.general.cyberarkpassword lookup – get secrets from CyberArk AIM

Note

This lookup plugin is part of the community.general collection (version 5.0.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.cyberarkpassword.

Synopsis

  • Get secrets from CyberArk AIM.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • CyberArk AIM tool installed

Parameters

Parameter

Comments

_command

string

Cyberark CLI utility.

Default: “/opt/CARKaim/sdk/clipasswordsdk”

Configuration:

  • Environment variable: AIM_CLIPASSWORDSDK_CMD

_extra

string

for extra_params values please check parameters for clipasswordsdk in CyberArk’s “Credential Provider and ASCP Implementation Guide”

appid

string / required

Defines the unique ID of the application that is issuing the password request.

output

string

Specifies the desired output fields separated by commas.

They could be: Password, PassProps.<property>, PasswordChangeInProcess

Default: “password”

query

string / required

Describes the filter criteria for the password retrieval.

Notes

Note

  • For Ansible on Windows, please change the -parameters (-p, -d, and -o) to /parameters (/p, /d, and /o) and change the location of CLIPasswordSDK.exe.

Examples

- name: passing options to the lookup
  ansible.builtin.debug:
      msg: '{{ lookup("community.general.cyberarkpassword", cyquery) }}'
  vars:
    cyquery:
      appid: "app_ansible"
      query: "safe=CyberArk_Passwords;folder=root;object=AdminPass"
      output: "Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess"


- name: used in a loop
  ansible.builtin.debug:
      msg: "{{item}}"
  with_community.general.cyberarkpassword:
      appid: 'app_ansible'
      query: 'safe=CyberArk_Passwords;folder=root;object=AdminPass'
      output: 'Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess'

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key

Description

_result

list / elements=dictionary

A list containing one dictionary.

Returned: success

passprops

dictionary

properties assigned to the entry

Returned: success

password

string

The actual value stored

Returned: success

passwordchangeinprocess

string

did the password change?

Returned: success

Authors

  • Unknown

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.