community.general.cyberarkpassword lookup – get secrets from CyberArk AIM

Note

This lookup plugin is part of the community.general collection (version 9.4.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: community.general.cyberarkpassword.

Synopsis

  • Get secrets from CyberArk AIM.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • CyberArk AIM tool installed

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.general.cyberarkpassword', key1=value1, key2=value2, ...) and query('community.general.cyberarkpassword', key1=value1, key2=value2, ...)

Parameter

Comments

_command

string

Cyberark CLI utility.

Default: "/opt/CARKaim/sdk/clipasswordsdk"

Configuration:

_extra

string

for extra_params values please check parameters for clipasswordsdk in CyberArk’s “Credential Provider and ASCP Implementation Guide”

appid

string / required

Defines the unique ID of the application that is issuing the password request.

output

string

Specifies the desired output fields separated by commas.

They could be: Password, PassProps.<property>, PasswordChangeInProcess

Default: "password"

query

string / required

Describes the filter criteria for the password retrieval.

Notes

Note

  • For Ansible on Windows, please change the -parameters (-p, -d, and -o) to /parameters (/p, /d, and /o) and change the location of CLIPasswordSDK.exe.

Examples

- name: passing options to the lookup
  ansible.builtin.debug:
      msg: '{{ lookup("community.general.cyberarkpassword", cyquery) }}'
  vars:
    cyquery:
      appid: "app_ansible"
      query: "safe=CyberArk_Passwords;folder=root;object=AdminPass"
      output: "Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess"


- name: used in a loop
  ansible.builtin.debug:
      msg: "{{item}}"
  with_community.general.cyberarkpassword:
      appid: 'app_ansible'
      query: 'safe=CyberArk_Passwords;folder=root;object=AdminPass'
      output: 'Password,PassProps.UserName,PassProps.Address,PasswordChangeInProcess'

Return Value

Key

Description

Return value

list / elements=dictionary

A list containing one dictionary.

Returned: success

passprops

dictionary

properties assigned to the entry

Returned: success

password

string

The actual value stored

Returned: success

passwordchangeinprocess

string

did the password change?

Returned: success

Authors

  • Unknown

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.