cyberark.pas.cyberark_credential – Credential retrieval using AAM Central Credential Provider.
Note
This plugin is part of the cyberark.pas collection (version 1.0.5).
To install it use: ansible-galaxy collection install cyberark.pas.
To use it in a playbook, specify: cyberark.pas.cyberark_credential.
New in version 2.4: of cyberark.pas
Synopsis
- Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID.
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| api_base_url string / required | A string containing the base URL of the server hosting the Central Credential Provider. | |
| app_id string / required | A string containing the Application ID authorized for retrieving the credential. | |
| client_cert string | A string containing the file location and name of the client certificate used for authentication. | |
| client_key string | A string containing the file location and name of the private key of the client certificate used for authentication. | |
| connection_timeout integer | Default: "30" | An integer value of the allowed time before the request returns failed. |
| fail_request_on_password_change boolean |
| A boolean parameter for completing the request in the middle of a password change of the requested credential. |
| query string / required | A string containing details of the object being queried; Possible parameters could be Safe, Folder, Object (internal account name), UserName, Address, Database, PolicyID. | |
| query_format string |
| The format for which your Query will be received by the CCP. |
| reason string | Reason for requesting credential if required by policy; It must be specified if the Policy managing the object requires it. | |
| validate_certs boolean |
| If false, SSL certificate chain will not be validated. This should only set to true if you have a root CA certificate installed on each node. |
Examples
tasks:
- name: credential retrieval basic
cyberark_credential:
api_base_url: "http://10.10.0.1"
app_id: "TestID"
query: "Safe=test;UserName=admin"
register: result
- name: credential retrieval advanced
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: yes
client_cert: /etc/pki/ca-trust/source/client.pem
client_key: /etc/pki/ca-trust/source/priv-key.pem
app_id: "TestID"
query: "Safe=test;UserName=admin"
connection_timeout: 60
query_format: Exact
fail_request_on_password_change: True
reason: "requesting credential for Ansible deployment"
register: result
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
| changed boolean | always | Identify if the playbook run resulted in a change to the account in any way. | |
| failed boolean | always | Whether playbook run resulted in a failure of any kind. | |
| result complex | success | A json dump of the resulting action. | |
| Address string | if required | The target address of the credential being queried | |
| Content string | always | The password for the object being queried | |
| CPMDisabled string | if CPM management is disabled and a reason is given | A description of why this vaulted credential is not being managed by the CPM. | |
| CreationMethod string | always | This is how the object was created in the Vault | |
| DeviceType string | always | An internal File Category for more granular management of Platforms. | |
| Folder string | always | The folder within the Safe where the credential is stored. | |
| LogonDomain string | if populated | The Address friendly name resolved by the CPM | |
| Name string | always | The Cyberark unique object ID of the credential being queried. | |
| PasswordChangeInProcess boolean | always | If the password has a change flag placed by the CPM | |
| PolicyID string | if assigned to a policy | Whether or not SSL certificates should be validated. | |
| Safe string | always | The safe where the queried credential is stored | |
| Username string | if required | The username of the credential being queried | |
| status_code integer | success | Result HTTP Status code. Sample: 200, 201, -1, 204 | |
Authors
- Edward Nunez (@enunez-cyberark)
- CyberArk BizDev (@cyberark-bizdev)
- Erasmo Acosta (@erasmix)
- James Stutes (@JimmyJamCABD)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/cyberark/pas/cyberark_credential_module.html