cyberark.pas.cyberark_account – Module for CyberArk Account object creation, deletion, and modification using PAS Web Services SDK.

Note

This plugin is part of the cyberark.pas collection (version 1.0.7).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cyberark.pas.

To use it in a playbook, specify: cyberark.pas.cyberark_account.

New in version 2.4: of cyberark.pas

Synopsis

Creates a URI for adding, deleting, modifying a privileged credential within the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK.

Parameters

Parameter		Choices/Defaults	Comments
address string			The address of the endpoint where the privileged account is located.
api_base_url string / required			A string containing the base URL of the server hosting CyberArk's Privileged Account Security Web Services SDK. Example https://<IIS_Server_Ip>/PasswordVault/api/
cyberark_session dictionary / required			Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session.
identified_by string		Default: "username,address,platform_id"	When an API call is made to Get Accounts, often times the default parameters passed will identify more than one account. This parameter is used to confidently identify a single account when the default query can return multiple results.
logging_file string		Default: "/tmp/ansible_cyberark.log"	Setting the log file name and location for troubleshooting logs.
logging_level string / required		Choices: NOTSET DEBUG INFO	Parameter used to define the level of troubleshooting output to the `logging_file` value.
name string			The ObjectID of the account
new_secret string			The new secret/password to be stored in CyberArk Vault.
platform_account_properties dictionary			Object containing key-value pairs to associate with the account, as defined by the account platform. These properties are validated against the mandatory and optional properties of the specified platform's definition. Optional properties that do not exist on the account will not be returned here. Internal properties are not returned.
	KEY string		Freeform key value associated to the mandatory or optional property assigned to the specified Platform's definition. aliases: Port, ExtrPass1Name, database
platform_id string			The PolicyID of the Platform that is to be managing the account
remote_machines_access dictionary			Set of parameters for defining PSM endpoint access targets.
	access_restricted_to_remote_machines boolean	Choices: no yes	Whether or not to restrict access only to specified remote machines.
	remote_machines string		List of targets allowed for this account.
safe string / required			The safe in the Vault where the privileged account is to be located.
secret string			The initial password for the creation of the account
secret_management dictionary			Set of parameters associated with the management of the credential.
	automatic_management_enabled boolean	Choices: no ← yes	Parameter that indicates whether the CPM will manage the password or not.
	management_action string	Choices: change change_immediately reconcile	CPM action flag to be placed on the account object for credential rotation.
	manual_management_reason string		String value indicating why the CPM will NOT manage the password.
	new_secret string		The actual password value that will be assigned for the CPM action to be taken.
	perform_management_action string	Choices: always ← on_create	`always` will perform the management action in every action. `on_create` will only perform the management action right after the account is created.
secret_type string		Choices: password ← key	The value that identifies what type of account it will be.
state string / required		Choices: present ← absent	Assert the desired state of the account `present` to creat or update and account object. Set to `absent` for deletion of an account object.
username string			The username associated with the account.
validate_certs boolean		Choices: no yes ←	If `false`, SSL certificate chain will not be validated. This should only set to `true` if you have a root CA certificate installed on each node.

Examples

collections:
  - cyberark.pas

tasks:

  - name: Logon to CyberArk Vault using PAS Web Services SDK
    cyberark_authentication:
      api_base_url: "http://components.cyberark.local"
      validate_certs: no
      username: "bizdev"
      password: "Cyberark1"

  - name: Creating an Account using the PAS WebServices SDK
    cyberark_account:
      logging_level: DEBUG
      identified_by: "address,username"
      safe: "Test"
      address: "cyberark.local"
      username: "administrator-x"
      platform_id: WinServerLocal
      secret: "@N&Ibl3!"
      platform_account_properties:
          LogonDomain: "cyberark"
          OwnerName: "ansible_user"
      secret_management:
          automatic_management_enabled: true
      state: present
      cyberark_session: "{{ cyberark_session }}"
    register: cyberarkaction

  - name:
      - Rotate credential via reconcile and providing the password to
        bechanged to.
    cyberark_account:
      identified_by: "address,username"
      safe: "Domain_Admins"
      address: "prod.cyberark.local"
      username: "admin"
      platform_id: WinDomain
      platform_account_properties:
          LogonDomain: "PROD"
      secret_management:
          new_secret: "Ama123ah12@#!Xaamdjbdkl@#112"
          management_action: "reconcile"
          automatic_management_enabled: true
      state: present
      cyberark_session: "{{ cyberark_session }}"
    register: reconcileaccount

  - name: Logoff from CyberArk Vault
    cyberark_authentication:
      state: absent
      cyberark_session: "{{ cyberark_session }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key			Returned	Description
changed boolean			always	Identify if the playbook run resulted in a change to the account in any way.
failed boolean			always	Whether playbook run resulted in a failure of any kind.
result complex			success	A json dump of the resulting action.
	address string		successful addition and modification	The adress of the endpoint where the privileged account is located. Sample: dev.local
	createdTime integer		successful addition and modification	Timeframe calculation of the timestamp of account creation. Sample: 1567824520
	id integer		successful addition and modification	Internal ObjectID for the account object identified Sample: 25_21
	name string		successful addition and modification	The external ObjectID of the account Sample: ['Operating System-WinServerLocal-cyberark.local-administrator']
	platformAccountProperties complex		successful addition and modification	Object containing key-value pairs to associate with the account, as defined by the account platform.
		KEY VALUE string	successful addition and modification	Object containing key-value pairs to associate with the account, as defined by the account platform. Sample: [{'LogonDomain': 'cyberark'}, {'Port': '22'}]
	platformId string		successful addition and modification	The PolicyID of the Platform that is to be managing the account. Sample: WinServerLocal
	safeName string		successful addition and modification	The safe in the Vault where the privileged account is to be located. Sample: Domain_Admins
	secretManagement complex		successful addition and modification	Set of parameters associated with the management of the credential. Sample: {'automaticManagementEnabled': {'description': ['Parameter that indicates whether the CPM will manage the password or not.'], 'returned': 'successful addition and modification', 'type': 'bool'}, 'lastModifiedTime': {'description': ['Timeframe calculation of the timestamp of account modification.'], 'returned': 'successful addition and modification', 'sample': '1567824520', 'type': 'int'}, 'manualManagementReason': {'description': None, 'returned': 'if `automaticManagementEnabled` is set to false', 'sample': 'This is a static account', 'type': 'str'}}
	secretType list / elements=string		successful addition and modification	The value that identifies what type of account it will be Sample: ['key', 'password']
	userName string		successful addition and modification	The username associated with the account Sample: administrator
status_code integer			success	Result HTTP Status code. Sample: 200, 201, -1, 204

Authors

CyberArk BizDev (@cyberark-bizdev)
Edward Nunez (@enunez-cyberark)
James Stutes (@jimmyjamcabd)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/cyberark/pas/cyberark_account_module.html

Docs

Docs4dev

Title here