cyberark.pas.cyberark_credential – Credential retrieval using AAM Central Credential Provider.
Note
This plugin is part of the cyberark.pas collection (version 1.0.5).
To install it use: ansible-galaxy collection install cyberark.pas.
To use it in a playbook, specify: cyberark.pas.cyberark_credential.
New in version 2.4: of cyberark.pas
Synopsis
- Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID.
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| api_base_url
string / required
|
A string containing the base URL of the server hosting the Central Credential Provider.
|
|
| app_id
string / required
|
A string containing the Application ID authorized for retrieving the credential.
|
|
| client_cert
string
|
A string containing the file location and name of the client certificate used for authentication.
|
|
| client_key
string
|
A string containing the file location and name of the private key of the client certificate used for authentication.
|
|
| connection_timeout
integer
|
Default:
"30"
|
An integer value of the allowed time before the request returns failed.
|
| fail_request_on_password_change
boolean
|
|
A boolean parameter for completing the request in the middle of a password change of the requested credential.
|
| query
string / required
|
A string containing details of the object being queried;
Possible parameters could be Safe, Folder, Object
(internal account name), UserName, Address, Database,
PolicyID.
|
|
| query_format
string
|
|
The format for which your Query will be received by the CCP.
|
| reason
string
|
Reason for requesting credential if required by policy;
It must be specified if the Policy managing the object
requires it.
|
|
| validate_certs
boolean
|
|
If false, SSL certificate chain will not be validated. This should only set to true if you have a root CA certificate installed on each node.
|
Examples
tasks:
- name: credential retrieval basic
cyberark_credential:
api_base_url: "http://10.10.0.1"
app_id: "TestID"
query: "Safe=test;UserName=admin"
register: result
- name: credential retrieval advanced
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: yes
client_cert: /etc/pki/ca-trust/source/client.pem
client_key: /etc/pki/ca-trust/source/priv-key.pem
app_id: "TestID"
query: "Safe=test;UserName=admin"
connection_timeout: 60
query_format: Exact
fail_request_on_password_change: True
reason: "requesting credential for Ansible deployment"
register: result
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
| changed
boolean
|
always |
Identify if the playbook run resulted in a change to the account in any way.
|
|
| failed
boolean
|
always |
Whether playbook run resulted in a failure of any kind.
|
|
| result
complex
|
success |
A json dump of the resulting action.
|
|
| Address
string
|
if required |
The target address of the credential being queried
|
|
| Content
string
|
always |
The password for the object being queried
|
|
| CPMDisabled
string
|
if CPM management is disabled and a reason is given |
A description of why this vaulted credential is not being managed by the CPM.
|
|
| CreationMethod
string
|
always |
This is how the object was created in the Vault
|
|
| DeviceType
string
|
always |
An internal File Category for more granular management of Platforms.
|
|
| Folder
string
|
always |
The folder within the Safe where the credential is stored.
|
|
| LogonDomain
string
|
if populated |
The Address friendly name resolved by the CPM
|
|
| Name
string
|
always |
The Cyberark unique object ID of the credential being queried.
|
|
| PasswordChangeInProcess
boolean
|
always |
If the password has a change flag placed by the CPM
|
|
| PolicyID
string
|
if assigned to a policy |
Whether or not SSL certificates should be validated.
|
|
| Safe
string
|
always |
The safe where the queried credential is stored
|
|
| Username
string
|
if required |
The username of the credential being queried
|
|
| status_code
integer
|
success |
Result HTTP Status code.
Sample:
200, 201, -1, 204
|
|
Authors
- Edward Nunez (@enunez-cyberark)
- CyberArk BizDev (@cyberark-bizdev)
- Erasmo Acosta (@erasmix)
- James Stutes (@JimmyJamCABD)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/cyberark/pas/cyberark_credential_module.html