A SecretManagement extension for CyberArk. It supports connecting to the Vault by either the REST API, Credential Provider, or Central Credential Provider.
The psPAS or CredentialRetriever module is used to communicate with the Vault.
- The psPAS Powershell module
- The CredentialRetriever Powershell module
- The SecretManagement Powershell module
From PowerShell Gallery
Install-Module SecretManagement.CyberArkOnce installed, it must be registered as an extension for SecretManagement. Depending on how you want to connect to the Vault, you will need to provide the appropriate parameters.
Specify CredentialProvider as the ConnectionType, the AppID to authenticate as, and optionally a ClientPath to the Credential Provider executable (otherwise it will use the existing ClientPath previously set via Set-AIMConfiguration.)
$VaultParameters = @{
ConnectionType = 'CredentialProvider'
AppID = 'windowsScript'
ClientPath = 'C:\Path\To\CLIPasswordSDK.exe'
}
Register-SecretVault -Name CyberArk -ModuleName SecretManagement.CyberArk -VaultParameters $VaultParametersSpecify CentralCredentialProvider as the ConnectionType, the AppID to authenticate as, and the URL for the Central Credential Provider. Optionally, parameters such as SkipCertificateCheck, UseDefaultCredentials, Credential, CertificateThumbPrint, and Certificate can be specified.
$VaultParameters = @{
ConnectionType = 'CentralCredentialProvider'
AppID = 'windowsScript'
URL = 'https://comp01.contoso.com'
SkipCertificateCheck = $true
}
Register-SecretVault -Name CyberArk -ModuleName SecretManagement.CyberArk -VaultParameters $VaultParametersSpecify REST as the ConnectionType and an existing PASSession will be used.
$VaultParameters = @{
ConnectionType = 'REST'
}
Register-SecretVault -Name CyberArk -ModuleName SecretManagement.CyberArk -VaultParameters $VaultParametersYou use the typical SecretManagement commands such as Get-Secret and Set-Secret.
To retrieve the password for an account named localAdmin01:
Get-Secret -Name localAdmin01 -VaultName CyberArkor
Get-PASAccount -search localAdmin01 -safeName Windows | Get-Secret -VaultName CyberArkNote: If multiple results are returned from CyberArk the first one is provided.
To retrieve the password for an account named linuxAdmin01 where policy requires a reason:
Get-Secret -Name localAdmin01 -AdditionalParameters @{Reason = 'To do things' } -VaultName CyberArkTo create a new credential in the Vault use:
$Secret = ConvertTo-SecureString 'verySecret!' -AsPlainText -Force
$NewCredentialProperties = @{
platformId = 'WindowsDomainAccount'
safeName = 'Windows'
address = 'iosharp.lab'
userName = 'localAdmin10'
}
Set-Secret -VaultName CyberArk -Secret $Secret -AdditionalParameters $NewCredentialPropertiesNote: The value passed to the Name argument will be used as the name property for the account in CyberArk. If you want CyberArk to generate the name for the account automatically, do not use the Name argument. This is not supported for the CentralCredentialProvider and CredentialProvider connection types.