Ansible / Automation / DevOps
Integrating the Ansible Automation Platform with CyberArk allows you to retrieve credentials securely and automatically from CyberArkโs Password Vault Web Access (PVWA) and use them in Ansible playbooks. Here are the steps to integrate the Ansible Automation Platform with CyberArk.
Disclaimer: This article is a work in progress and may contain incomplete or inaccurate information. The code provided has been tested in a limited environment and may require additional configuration for your specific setup. Use the code at your own risk.
You can implement this integration using the CyberArk AIM Central Credential Provider Lookup or cyberark.pas
the collection inside the playbook.
Also read: Ansible vs. Red Hat Ansible Automation Platform
The Password Vault Web Access (PVWA) is a CyberArk component that enables you to access and configure the Privileged Access Security solution over the Web.
CP stands for Credential Provider in CyberArk, a tool that can securely retrieve passwords and applicationsโ secrets from a Vault. It can be installed on servers running applications, or on the developer machine. The Credential Provider offers a variety of features, including:
CyberArkโs Central Credential Provider (CCP) is a credential vault that can be used by enterprises. Itโs an agentless AAM method that allows applications to securely retrieve credentials from a vault during runtime without installing it on each end-user machine. CCP is installed on a separate Windows server.
The Application Server Credential Provider (ASCP) eliminates hard-coded credentials embedded in data sources of application servers, such as IBM WebSphere, Oracle Weblogic, JBoss, and Apache Tomcat.
CyberArkโs Privileged Session Manager (PSM) enhances security for organizations by managing, monitoring, and safeguarding privileged access to sensitive systems without exposing actual credentials to users. Acting as a gateway, PSM secures high-risk environments by storing and rotating credentials in a secure vault, enforcing access control, and enabling detailed session monitoring. With support for RDP, SSH, and web protocols, PSM provides compatibility across different systems, centralizing privileged access and logging user actions for compliance and auditing, making it a robust solution for organizations aiming to protect against potential security breaches associated with privileged access.
CyberArkโs Central Policy Manager (CPM) automates and enforces credential management policies for privileged accounts, ensuring consistent security and compliance across an organization. By regularly changing, verifying, and rotating passwords without disrupting workflows, CPM minimizes the risks associated with static credentials. It integrates with various target systems, supporting different platforms and protocols, and is configured to securely store and update passwords within the CyberArk Vault. CPM enables organizations to centralize and streamline credential management, reinforcing security policies across IT environments.
The Central Credential Provider uses advanced means to authenticate applications requesting credentials based on varying operating system and application characteristics. The Central Credential Provider runs as a web service that is used by applications residing on remote machines.
Disclaimer: CyberArk credentials can be retrieved via a REST API call using the Get Password Value method, which allows users to obtain the password or SSH key of an existing account identified by its Account ID. Users may also specify a reason and ticket ID if required. This capability is intended for human use only and is not recommended for applications or automated processes. For application-based authentication in automated processes, please refer to the Secrets Manager Credential Providers documentation.
The following configurations at the CyberArk side have to be configured before proceeding with Ansible configurations.
You need to create a CyberArk Application Identity to enable the Ansible Automation Platform to retrieve credentials from CyberArk PVWA. You can create an Application Identity by following these steps:
You need to create a CyberArk Safe to store the credentials that you want to use in your Ansible playbooks. You can create a Safe by following these steps:
You need to create a CyberArk Object to store the credentials for the target system that you want to manage using the Ansible Automation Platform. You can create a CyberArk Object by following these steps:
Setting up a machine credential with CyberArk vault lookup is pretty straightforward in the Ansible Automation Platform.
From the utomation controller WEBUI, Credential โ> Create new credential as follows.
I will ignore the certificate portions to make this guide simple.
Create a new credential as follows; do not put any password in the Password field.
Now, click on the Key icon near the Password field and select the previously created CyberArk AIM Central Credential Provider Lookup credential as follows.
Click next and input the object query, format and reason fields as follows.
Now you can use this machine credential in job templates to retrieve and use credentials dynamically.
If you are using the Ansible CLI (without Ansible Automation Platform or Ansible AWX, then you need to install and utilize the cyberark.pas
collection as follows.
$ ansible-galaxy collection install cyberark.pas
You can use the credentials in your Ansible playbooks by calling the cyberark.pas.cyberark_credential module
. Hereโs an example playbook that uses the CyberArk Provider:
---
- name: Example playbook using CyberArk PAS
hosts: "{{ remote_nodes }}"
gather_facts: false
collections:
- cyberark.pas
tasks:
- name: Retrieve credentials using Central Credential Provider
cyberark.pas.cyberark_credential:
api_base_url: "https://cyberark.example.com"
app_id: "ansible"
aim_object: "target_system_object_name"
validate_certs: false
reason: "requesting credential for Ansible deployment"
connection_timeout: 60
query: "Safe=test;UserName=admin"
query_format: "Exact"
fail_request_on_password_change: True
register: ca_cred
delegate_to: localhost
no_log: true
- name: Set ansible_password to remote node
ansible.builtin.set_fact:
ansible_user: "{{ ansible_user }}"
ansible_password: "{{ ca_cred.result.Content }}"
no_log: true
- name: Execute some command
ansible.builtin.shell: "hostname"
register: shell_output
In the above snippet,
api_base_url
: the base URL of the server hosting the Central Credential Provider.query
: details of the object being queried.In this example, the cyberark_credential
task retrieves the credentials for the target system from the CyberArk Object and saves them in the ca_cred
variable. The Execute some command
task uses the retrieved credentials to execute the specified command on the target system.
Also, notice the no_log: true
lines to mask the sensitive data in the logs.
Note: Remember to use the cyberark.pas.cyberark_authentication
for the appropriate authentication.
Integrating the Ansible Automation Platform with CyberArk provides a powerful solution to automate credential management and improve security in your organization. By using CyberArk to securely store and manage privileged credentials, and Ansible to automate the retrieval of those credentials, you can ensure that only authorized users and processes have access to sensitive information. This integration allows you to streamline your IT operations, reduce manual errors, and increase overall efficiency. With the continuous evolution of security threats, itโs crucial to implement tools that can help you stay ahead of the game. By combining CyberArk and Ansible, you can achieve a more secure and efficient IT environment, ultimately improving your organizationโs overall security posture.
Disclaimer:
The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.
Gineesh Madapparambath
Gineesh Madapparambath is the founder of techbeatly and he is the co-author of The Kubernetes Bible, Second Edition. and the author of ๐๐ป๐๐ถ๐ฏ๐น๐ฒ ๐ณ๐ผ๐ฟ ๐ฅ๐ฒ๐ฎ๐น-๐๐ถ๐ณ๐ฒ ๐๐๐๐ผ๐บ๐ฎ๐๐ถ๐ผ๐ป.
He has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform).
(aka Gini Gangadharan - iamgini.com)
This site uses Akismet to reduce spam. Learn how your comment data is processed.1 Response
Leave a Reply Cancel reply
This title perfectly highlights the importance of security when it comes to automation and showcases the valuable integration of Ansible Automation Platform with CyberArk. A well-informed and forward-thinking read for anyone in the tech industry.