cyberark.pas.cyberark_account – Module for CyberArk Account object creation, deletion, and modification using PAS Web Services SDK.
Note
This plugin is part of the cyberark.pas collection (version 1.0.5).
To install it use: ansible-galaxy collection install cyberark.pas.
To use it in a playbook, specify: cyberark.pas.cyberark_account.
New in version 2.4: of cyberark.pas
Synopsis
- Creates a URI for adding, deleting, modifying a privileged credential within the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK.
Parameters
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
| address string | The address of the endpoint where the privileged account is located. | ||
| api_base_url string / required | A string containing the base URL of the server hosting CyberArk's Privileged Account Security Web Services SDK. | ||
| cyberark_session dictionary / required | Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see cyberark_authentication module for an example of cyberark_session. | ||
| identified_by string | Default: "username,address,platform_id" | When an API call is made to Get Accounts, often times the default parameters passed will identify more than one account. This parameter is used to confidently identify a single account when the default query can return multiple results. | |
| logging_file string | Default: "/tmp/ansible_cyberark.log" | Setting the log file name and location for troubleshooting logs. | |
| logging_level string / required |
| Parameter used to define the level of troubleshooting output to the logging_file value. | |
| name string | The ObjectID of the account | ||
| new_secret string | The new secret/password to be stored in CyberArk Vault. | ||
| platform_account_properties dictionary | Object containing key-value pairs to associate with the account, as defined by the account platform. These properties are validated against the mandatory and optional properties of the specified platform's definition. Optional properties that do not exist on the account will not be returned here. Internal properties are not returned. | ||
| KEY string | Freeform key value associated to the mandatory or optional property assigned to the specified Platform's definition. aliases: Port, ExtrPass1Name, database | ||
| platform_id string | The PolicyID of the Platform that is to be managing the account | ||
| remote_machines_access dictionary | Set of parameters for defining PSM endpoint access targets. | ||
| access_restricted_to_remote_machines boolean |
| Whether or not to restrict access only to specified remote machines. | |
| remote_machines string | List of targets allowed for this account. | ||
| safe string / required | The safe in the Vault where the privileged account is to be located. | ||
| secret string | The initial password for the creation of the account | ||
| secret_management dictionary | Set of parameters associated with the management of the credential. | ||
| automatic_management_enabled boolean |
| Parameter that indicates whether the CPM will manage the password or not. | |
| management_action string |
| CPM action flag to be placed on the account object for credential rotation. | |
| manual_management_reason string | String value indicating why the CPM will NOT manage the password. | ||
| new_secret string | The actual password value that will be assigned for the CPM action to be taken. | ||
| perform_management_action string |
| always will perform the management action in every action.on_create will only perform the management action right after the account is created. | |
| secret_type string |
| The value that identifies what type of account it will be. | |
| state string / required |
| Assert the desired state of the account present to creat or update and account object. Set to absent for deletion of an account object. | |
| username string | The username associated with the account. | ||
| validate_certs boolean |
| If false, SSL certificate chain will not be validated. This should only set to true if you have a root CA certificate installed on each node. | |
Examples
collections:
- cyberark.pas
tasks:
- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark_authentication:
api_base_url: "http://components.cyberark.local"
validate_certs: no
username: "bizdev"
password: "Cyberark1"
- name: Creating an Account using the PAS WebServices SDK
cyberark_account:
logging_level: DEBUG
identified_by: "address,username"
safe: "Test"
address: "cyberark.local"
username: "administrator-x"
platform_id: WinServerLocal
secret: "@N&Ibl3!"
platform_account_properties:
LogonDomain: "cyberark"
OwnerName: "ansible_user"
secret_management:
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction
- name:
- Rotate credential via reconcile and providing the password to
bechanged to.
cyberark_account:
identified_by: "address,username"
safe: "Domain_Admins"
address: "prod.cyberark.local"
username: "admin"
platform_id: WinDomain
platform_account_properties:
LogonDomain: "PROD"
secret_management:
new_secret: "Ama123ah12@#!Xaamdjbdkl@#112"
management_action: "reconcile"
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: reconcileaccount
- name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
cyberark_session: "{{ cyberark_session }}"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | ||
|---|---|---|---|---|
| changed boolean | always | Identify if the playbook run resulted in a change to the account in any way. | ||
| failed boolean | always | Whether playbook run resulted in a failure of any kind. | ||
| result complex | success | A json dump of the resulting action. | ||
| address string | successful addition and modification | The adress of the endpoint where the privileged account is located. Sample: dev.local | ||
| createdTime integer | successful addition and modification | Timeframe calculation of the timestamp of account creation. Sample: 1567824520 | ||
| id integer | successful addition and modification | Internal ObjectID for the account object identified Sample: 25_21 | ||
| name string | successful addition and modification | The external ObjectID of the account Sample: ['Operating System-WinServerLocal-cyberark.local-administrator'] | ||
| platformAccountProperties complex | successful addition and modification | Object containing key-value pairs to associate with the account, as defined by the account platform. | ||
| KEY VALUE string | successful addition and modification | Object containing key-value pairs to associate with the account, as defined by the account platform. Sample: [{'LogonDomain': 'cyberark'}, {'Port': '22'}] | ||
| platformId string | successful addition and modification | The PolicyID of the Platform that is to be managing the account. Sample: WinServerLocal | ||
| safeName string | successful addition and modification | The safe in the Vault where the privileged account is to be located. Sample: Domain_Admins | ||
| secretManagement complex | successful addition and modification | Set of parameters associated with the management of the credential. Sample: {'automaticManagementEnabled': {'description': ['Parameter that indicates whether the CPM will manage the password or not.'], 'returned': 'successful addition and modification', 'type': 'bool'}, 'lastModifiedTime': {'description': ['Timeframe calculation of the timestamp of account modification.'], 'returned': 'successful addition and modification', 'sample': '1567824520', 'type': 'int'}, 'manualManagementReason': {'description': None, 'returned': 'if automaticManagementEnabled is set to false', 'sample': 'This is a static account', 'type': 'str'}} | ||
| secretType list / elements=string | successful addition and modification | The value that identifies what type of account it will be Sample: ['key', 'password'] | ||
| userName string | successful addition and modification | The username associated with the account Sample: administrator | ||
| status_code integer | success | Result HTTP Status code. Sample: 200, 201, -1, 204 | ||
Authors
- CyberArk BizDev (@cyberark-bizdev)
- Edward Nunez (@enunez-cyberark)
- James Stutes (@jimmyjamcabd)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/cyberark/pas/cyberark_account_module.html