ansible_collections/cyberark/pas/docs/cyberark_credential.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

# cyberark_credential

Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault.  The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID.

**Requirements:**
- CyberArk AAM Central Credential Provider
- ApplicationID with the following permissions on the safe containing the credential being requested:
  - List Accounts
  - Retrieve Accounts
> **NOTE:** The CCP's Provider user (Prov_hostaname) needs to have the following permissions on the safe containing the credential being requested:
>> List Accounts<br>
>> Retrieve Accounts<br>
>> View Safe Members<br>

## Query
This field is semicolon delimited value that is the exact syntax that goes in the URI<br>
If you use the `object` parameter then there is no need to use any other parameter as the ObjectID is a unique value.<br>
**Example:**
```
    query: "Safe=test;UserName=admin"
      OR
    query: "Object=OperatingSystem-administrator-dev.local"
```

## Available Fields

```
options:
    api_base_url:
        description:
            - A string containing the base URL of the server hosting the Central Credential Provider
        required: true
        type: string
    validate_certs:
        description:
            - If C(false), SSL certificate chain will not be validated.  This should only set to C(true) if you have a root CA certificate installed on each node.
        type: bool
        required: false
        default: false
        type: bool
    app_id:
        description:
            - A string containing the Application ID authorized for retrieving the credential
        required: true
        type: string
    query:
        description:
            - A string containing details of the object being queried
        required: true
        parameters:
            Safe=<safe name>
            Folder=<folder name within safe>
            Object=<object name>
            UserName=<username of object>
            Address=<address listed for object>
            Database=<optional file category for database objects>
            PolicyID=<platform id managing object>
    connection_timeout:
        description:
            - An integer value of the allowed time before the request returns failed
        required: false
        default: '30'
        type: integer
    query_format:
        description:
            - The format for which your Query will be received by the CCP
        required: false
        default: 'Exact'
        choices: [Exact, Regexp]
        type: choice
    fail_request_on_password_change:
        description:
            - A boolean parameter for completing the request in the middle of a password change of the requested credential
        required: false
        default: false
        type: bool
    client_cert:
        description:
            - A string containing the file location and name of the client certificate used for authentication
        required: false
        type: string
    client_key:
        description:
            - A string containing the file location and name of the private key of the client certificate used for authentication
        required: false
        type: string
    reason:
        description:
            - Reason for requesting credential if required by policy
        required: false
        type: string
```


## Example Playbooks

```yaml
- name: credential retrieval basic
  cyberark_credential:
    api_base_url: "http://10.10.0.1"
    app_id: "TestID"
    query: "Safe=test;UserName=admin"
  register: result
  
  result:
     { api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }
     
     
- name: credential retrieval advanced
  cyberark_credential:
    api_base_url: "https://components.cyberark.local"
    validate_certs: true
    client_cert: /etc/pki/ca-trust/source/client.pem
    client_key: /etc/pki/ca-trust/source/priv-key.pem
    app_id: "TestID"
    query: "Safe=test;UserName=admin"
    connection_timeout: 60
    query_format: Exact
    fail_request_on_password_change: true
    reason: "requesting credential for Ansible deployment"
  register: result
  
  result:
     { api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }"&ConnectionTimeout="{ connection_timeout }"&QueryFormat="{ query_format }"&FailRequestOnPasswordChange="{ fail_request_on_password_change }
     
- name: credential retrieval custom path
  cyberark_credential:
    api_base_url: "http://10.10.0.1"
    app_id: "TestID"
    query: "Safe=test;UserName=admin"
    path: AimWebServiceCustom
  register: result
  
  result:
     { api_base_url } { path } "?AppId="{ app_id }"&Query="{ query }
```