Ansible / Automation / DevOps

Integrating Ansible Automation Platform with CyberArk to retrieve credentials

Warning: This article is still in progress and in unpublished phase!

Introduction

Integrating the Ansible Automation Platform with CyberArk allows you to retrieve credentials securely and automatically from CyberArk’s Password Vault Web Access (PVWA) and use them in Ansible playbooks. Here are the steps to integrate the Ansible Automation Platform with CyberArk.

Warning: This guide is not 100% tested and I am still fine-tuning the document

You can implement this integration using the CyberArk AIM Central Credential Provider Lookup or cyberark.pas the collection inside the playbook.

Also read: Ansible vs. Red Hat Ansible Automation Platform

Prerequisites

The following configurations at the CyberArk side have to be configured before proceeding with Ansible configurations.

Create a CyberArk Application Identity:

You need to create a CyberArk Application Identity to enable the Ansible Automation Platform to retrieve credentials from CyberArk PVWA. You can create an Application Identity by following these steps:

• Log in to the CyberArk PVWA web portal.
• Navigate to the Applications tab and click on the Add Application button.
• Enter the application name, description, and IP address or hostname of the Ansible Automation Platform server.
• Set the authentication method to “Password” and set the password complexity.
• Save the application.

Create a CyberArk Safe:

You need to create a CyberArk Safe to store the credentials that you want to use in your Ansible playbooks. You can create a Safe by following these steps:

• Log in to the CyberArk PVWA web portal.
• Navigate to the Safes tab and click on the Add Safe button.
• Enter the Safe name and description.
• Set the owners and the approvers for the Safe.
• Save the Safe.

Create a CyberArk Object:

You need to create a CyberArk Object to store the credentials for the target system that you want to manage using the Ansible Automation Platform. You can create a CyberArk Object by following these steps:

• Log in to the CyberArk PVWA web portal.
• Navigate to the Safe that you created in step 4.
• Click on the Add Object button.
• Enter the Object name, description, and the target system details.
• Enter the credentials for the target system and set the authentication method to “Password”.
• Save the Object.

Method 1. Using CyberArk AIM Central Credential Provider Lookup

Setting up a machine credential with CyberArk vault lookup is pretty straightforward in the Ansible Automation Platform.

Create CyberArk AIM Central Credential Provider Lookup credential

From Automation controller WEBUI, Credential –> Create new credential as follows.

I will ignore the certificate portions to make this guide simple.

Create machine credential

Create a new credential as follows; do not put any password in the Password field.

Now, click on the Key icon near the Password field and select the previously created CyberArk AIM Central Credential Provider Lookup credential as follows.

Click next and input the object query, format and reason fields as follows.

Now you can use this machine credential in job templates to retrieve and use credentials dynamically.

Method 2. Using cyberark.pas collection

If you are using the Ansible CLI (without Ansible Automation Platform or Ansible AWX, then you need to install and utilize the cyberark.pas collection as follows.

$ ansible-galaxy collection install cyberark.pas

Use the CyberArk Provider in Ansible Playbooks:

You can use the credentials in your Ansible playbooks by calling the cyberark.pas.cyberark_credential module. Here’s an example playbook that uses the CyberArk Provider:

---
- name: Example playbook using CyberArk PAS
  hosts: "{{ remote_nodes }}"
  gather_facts: false
  
  collections:
    - cyberark.pas

  tasks:
    - name: Retrieve credentials from CyberArk PVWA
      cyberark.pas.cyberark_credential:
        api_base_url: "https://cyberark.example.com"
        app_id: "ansible"        
        aim_object: "target_system_object_name"
        validate_certs: false
        reason: "requesting credential for Ansible deployment"
        connection_timeout: 60
        query: "Safe=test;UserName=admin"
        query_format: "Exact"
        fail_request_on_password_change: True
      register: ca_cred
      delegate_to: localhost
      no_log: true

    - name: Set ansible_password to remote node
      ansible.builtin.set_fact:
        ansible_user: "{{ ansible_user }}"
        ansible_password: "{{ ca_cred.result.Content }}"
      no_log: true

    - name: Execute some command
      ansible.builtin.shell: "hostname"
      register: shell_output

In this example, the cyberark_credential task retrieves the credentials for the target system from the CyberArk Object and saves them in the ca_cred variable. The Execute some command task uses the retrieved credentials to execute the specified command on the target system.

Also, notice the no_log: true lines to mask the sensitive data in the logs.

Note: Remember to use the cyberark.pas.cyberark_authentication for the appropriate authentication.

Conclusion

Integrating the Ansible Automation Platform with CyberArk provides a powerful solution to automate credential management and improve security in your organization. By using CyberArk to securely store and manage privileged credentials, and Ansible to automate the retrieval of those credentials, you can ensure that only authorized users and processes have access to sensitive information. This integration allows you to streamline your IT operations, reduce manual errors, and increase overall efficiency. With the continuous evolution of security threats, it’s crucial to implement tools that can help you stay ahead of the game. By combining CyberArk and Ansible, you can achieve a more secure and efficient IT environment, ultimately improving your organization’s overall security posture.

Disclaimer:

The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.

Tags: Ansible · ansible and cyberark · ansible automation platform integration with cyberark · ansible controller and cyberark · ansible cyberark integration · ansible playbook · ansible retrieve password from cyberark · ansible training · Devops

Comments

1 Response

1. gk says:

   April 13, 2024 at 6:27 pm

   This title perfectly highlights the importance of security when it comes to automation and showcases the valuable integration of Ansible Automation Platform with CyberArk. A well-informed and forward-thinking read for anyone in the tech industry.

   Loading...

   Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.

Δ

This site uses Akismet to reduce spam. Learn how your comment data is processed.