Joe Garcia infamousjoeg

Solving Dynamic CyberArk CCP Lookups in Ansible Automation Platform

The Problem

You've got multiple teams, each with their own CyberArk safes (let's say 20+), and secrets in those safes are needed for agent installation across your Linux fleet. If you try to solve this the "obvious" way—creating AAP credential objects for each user × safe combination—you end up with credential sprawl from hell. 200 users × 20 safes = 4,000 credential objects. Nobody wants that.

The thing is, you can't just template variables in AAP credential queries like this:

{
 "object_query": "Username={{ service }};Address=foobar.example.dev"

CyberArk get-secrets Tool: Windows Setup and PowerShell Usage Guide

Prerequisites

Windows Server 2016+ or Windows 10+
PowerShell 5.1+ (included with Windows)
Administrator privileges
CyberArk Identity and Secrets Hub credentials

Step 1: Install Go

CyberArk PAM REST API Authentication via PingFederate SAML

This guide demonstrates how to authenticate to CyberArk's Self-Hosted Privileged Access Management (PAM) REST API using PingFederate SAML authentication with PowerShell.

Overview

The script implements a complete SAML authentication flow that:

Initiates SAML authentication with CyberArk
Redirects to PingFederate for authentication

Utilizing GitHub OIDC as an Authentication Method through CyberArk Conjur’s `authn-jwt`

Overview: This documentation demonstrates how to use GitHub's OpenID Connect (OIDC) as an authentication method in Conjur Cloud & Self-Hosted Enterprise using the authn-jwt authenticator. The process involves configuring the JWT authenticator, mapping claims from the GitHub OIDC token to annotations in Conjur Cloud, and finally authenticating a workload.

Step 1: Configure GitHub OIDC with JWT Authenticator

Plan the Configuration:

	{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
	"PolicyName": {
	"Type": "String",
	"Description": "Meaningful policy name"
	},
	"CyberArkSecretsHubRoleARN": {
	"Type": "String",
	"Description": "The Secrets Hub tenant role ARN which will be trusted by this role"

	import getpass
	from ark_sdk_python import ArkClient
	from ark_sdk_python.auth import ArkISPAuth

	def interactive_platform_auth():
	"""Interactive platform token authentication setup"""

	# Gather credentials interactively
	tenant_url = input("Enter your CyberArk tenant URL: ")
	client_id = input("Enter your Service User client ID: ")

	# Requires: Az PowerShell Module
	# Install with: Install-Module -Name Az -Scope CurrentUser

	# ------------------------
	# VARIABLES - EDIT THESE
	# ------------------------
	$ManagementGroupId = "<YourManagementGroupID>" # e.g. "mg-root"

	# ------------------------
	# CONNECT TO AZURE

	# Version = 13.6.0.4-release/13.6
	#-----------------------------------------
	# This script installs the Vault-Conjur Synchronizer
	#------------------------------------------

	#Requires -Version 4.0

	param([switch] $silent, [switch] $forceNoPVWAApiUse, [switch] $trustPVWAAndConjurCert, [switch] $automationTests)

	#region [Variables]

	function New-SAMLInteractive {
	[CmdletBinding()]
	param(
	[Parameter(Mandatory = $true)]
	[string] $LoginIDP
	)

	Begin {
	# Regular expression to extract SAML Response
	$RegEx = '(?i)name="SAMLResponse"(?: type="hidden")? value=\"(.?)\"(?:.)?\/>'

	#!/bin/bash

	kubectl create ns cyberark-poc
	kubectl create sa -n cyberark-poc cyberark-poc-app-sa