cyberark.pas.cyberark_credential – Credential retrieval using AAM Central Credential Provider.
Note
This plugin is part of the cyberark.pas collection (version 1.0.7).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cyberark.pas
.
To use it in a playbook, specify: cyberark.pas.cyberark_credential
.
New in version 2.4: of cyberark.pas
Synopsis
- Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID.
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
api_base_url string / required | A string containing the base URL of the server hosting the Central Credential Provider. | |
app_id string / required | A string containing the Application ID authorized for retrieving the credential. | |
client_cert string | A string containing the file location and name of the client certificate used for authentication. | |
client_key string | A string containing the file location and name of the private key of the client certificate used for authentication. | |
connection_timeout integer | Default: "30" | An integer value of the allowed time before the request returns failed. |
fail_request_on_password_change boolean |
| A boolean parameter for completing the request in the middle of a password change of the requested credential. |
query string / required | A string containing details of the object being queried; Possible parameters could be Safe, Folder, Object (internal account name), UserName, Address, Database, PolicyID. | |
query_format string |
| The format for which your Query will be received by the CCP. |
reason string | Reason for requesting credential if required by policy; It must be specified if the Policy managing the object requires it. | |
validate_certs boolean |
| If false , SSL certificate chain will not be validated. This should only set to true if you have a root CA certificate installed on each node. |
Examples
tasks: - name: credential retrieval basic cyberark_credential: api_base_url: "http://10.10.0.1" app_id: "TestID" query: "Safe=test;UserName=admin" register: result - name: credential retrieval advanced cyberark_credential: api_base_url: "https://components.cyberark.local" validate_certs: yes client_cert: /etc/pki/ca-trust/source/client.pem client_key: /etc/pki/ca-trust/source/priv-key.pem app_id: "TestID" query: "Safe=test;UserName=admin" connection_timeout: 60 query_format: Exact fail_request_on_password_change: True reason: "requesting credential for Ansible deployment" register: result
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
changed boolean | always | Identify if the playbook run resulted in a change to the account in any way. | |
failed boolean | always | Whether playbook run resulted in a failure of any kind. | |
result complex | success | A json dump of the resulting action. | |
Address string | if required | The target address of the credential being queried | |
Content string | always | The password for the object being queried | |
CPMDisabled string | if CPM management is disabled and a reason is given | A description of why this vaulted credential is not being managed by the CPM. | |
CreationMethod string | always | This is how the object was created in the Vault | |
DeviceType string | always | An internal File Category for more granular management of Platforms. | |
Folder string | always | The folder within the Safe where the credential is stored. | |
LogonDomain string | if populated | The Address friendly name resolved by the CPM | |
Name string | always | The Cyberark unique object ID of the credential being queried. | |
PasswordChangeInProcess boolean | always | If the password has a change flag placed by the CPM | |
PolicyID string | if assigned to a policy | Whether or not SSL certificates should be validated. | |
Safe string | always | The safe where the queried credential is stored | |
Username string | if required | The username of the credential being queried | |
status_code integer | success | Result HTTP Status code. Sample: 200, 201, -1, 204 |
Authors
- Edward Nunez (@enunez-cyberark)
- CyberArk BizDev (@cyberark-bizdev)
- Erasmo Acosta (@erasmix)
- James Stutes (@JimmyJamCABD)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cyberark/pas/cyberark_credential_module.html