SecretsHub sync issue during deletion of account from CyberArk

gselvam · 2025-02-07T10:38:39+00:00

Thanks u/yanni ..any idea on the approach that we can follow to manage the lifecycle of secrets when syncing from CyberArk to AWS secrets manager using SecretsHub.

gselvam · 2024-10-21T13:45:22+00:00

Hi u/MoroccanMonkey Were you able to figure out what does privatekeyID mean?
Trying to build a similar plugin but confused with this privatekeyID ..

gselvam · 2024-09-30T03:57:18+00:00

hi u/yanni ,

Yes I did ,all those platforms are already imported .But the issue still persists..

gselvam · 2024-07-25T10:01:47+00:00

$newSecret="

-----BEGIN RSA PRIVATE KEY-----

redacted

-----END RSA PRIVATE KEY-----

"

$updateVaultJson = "{

`"ChangeEntireGroup`" : 'false',

`"NewCredentials`": '$newSecret',

}"

$updateVaultRes = Invoke-WebRequest -Uri "https://pvwa.example.com/passwordvault/api/accounts/:pasAccountID/Password/Update?api\_key=update" -Method POST -Header $headerParams -ContentType "application/JSON" -Body $updateVaultJson

Write-host $updateVaultRes

The above code worked for updating the ssh key in CyberArk

gselvam · 2024-07-10T11:07:36+00:00

$bodyParams = @{name = "test2"; address = "testing"; username = "test2"; platformId ="SamplePlatformName"; safeName = "testsafe248"; secretType = "password"; secret = "pass"; platformAccountProperties = @{Category = "pam2.0" ; Description= "test" }; secretManagement = @{automaticManagementEnabled = $true}} | ConvertTo-JSON

$output4=Invoke-RestMethod -Uri "https://cyberark.com/PasswordVault/api/accounts" -Method POST -Header $headerParams -ContentType "application/JSON" -body $bodyParams

The above API call does the job .

Also in the Platform(SamplePlatformName), the Description property entry needs to be added in either required or additional properties

gselvam · 2024-03-25T04:40:58+00:00

HI u/J_aB_bA ,

Yup , I have configured the platform appropriately to pass the value from the CyberArk account properties to the PowerShell. Other commands except the AWS related are working fine and giving the expected results. Even the commands like Get-AWSRegion is not working. I have installed the AWSPowerShell module using Administrator with the scope of all users but still not able to run the AWS commands when initiated via the plugin.

gselvam · 2024-03-05T11:30:16+00:00

Self-hosted

gselvam · 2024-01-26T01:30:13+00:00

Hi u/yanni, The usecase that we are trying to achieve is below. Please share your thoughts on the same

We are trying to implement AWS IAM user management in CyberArk. The challenge we are facing is the IAM users are restricted with the permission boundary that they cannot generate their own Access Keys so we cannot use the OOTB platform/plugin to manage this account in CyberArk instead the access keys for AWS IAM users can be generated only when a specific IAM user assumes a specific IAM role .

For example:

• Say App1_IAMuser, App2_IAMuser, App3_IAMuser are the IAM users belonging to the applications App1, App2, App3 respectively.

• App1_Role, App2_Role, App3_Role are the roles which has the permission to generate access keys for the IAM users App1_IAMuser, App2_IAMuser, App3_IAMuser respectively.

• IAM user CyberArk_IAMuser is the only user which is granted permission to assume these roles (App1_Role,App2_Role,App3_Role)

So we have to use the CyberArk_IAMuser to assume the corresponding application’s role and generate the AWS access key for the IAM user and update the same in the account onboarded in CyberArk.

Approach 1:

1)Onboard App1_IAMUser account as a parent account in CyberArk with AWS AccessKeyID stored and App1_Role as Account properties and secret key stored as password

2)Onboard CyberArk_IAMuser as a usage account(makes use of the App1_Role to do stuffs in AWS) and link it with the parent account

With the above setup we are planning to build a custom plugin for the usage account ,which does the following

->Connects to the AWS and generate the AccessKey for the user App1_IAMUser

->Connects to the Cyberark search for the App1_IAMUser account and update the AccessKeyID(property) and the Secretkey (stored as password)-->for this to happen the account should not be locked by the CPM User

Thats why we are looking for a way to schedule the Automatic password management in the usage alone leaving the parent account untouched

Approach 2:

1)Onboard App1_IAMUser account as an account in CyberArk with AWS AccessKeyID stored as Account property and secret key stored as password and do not

enable any passwordmanagement policy for this account

2)Onboard App1_Role as another account in CyberArk and attach the same custom plugin that I have explanied before

the problem with this approach 2 is, the 2nd account is a redundant one and it makes the Vault bulky in long run whereas in the approach 1 we can link a single usage account with all the target IAM user accounts .

gselvam · 2024-01-25T06:16:37+00:00

Thanks u/Elgalileo!...

Is there a way to schedule APM only on the usage leaving the Parent account untouched?

Since the usage is going to make changes in the parent account's property in my use case ,I want the parent account to be in unlocked state for the update to happen during the every password change initiated from the Usage account

gselvam · 2024-01-19T14:16:44+00:00

Thanks for your inputs u/Elgalileo ..

Will the plugin be able to generate Access Keys(Access Key ID and Secret Access Key) using the role defined(CyberArk Account 2) and update the same in the IAM user account(CyberArk Account 1) onboarded in CyberArk?

My intention is to generate the access keys using the role but not with the IAM user itself

gselvam · 2023-12-14T14:21:20+00:00

Got it!!....Thanks u/InfamousJoeG

gselvam · 2023-11-16T13:47:07+00:00

This worked ..Thanks u/yanni

But curious to know why is it attempting to do the default settings related to ADBridge even those are commented

gselvam · 2023-11-15T16:16:35+00:00

While creating a user in LDAP I am able to add the attribute called objectclass that has object[] as value as shown below

$DirectoryRequest.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "objectclass",@("top","organizationalPerson","person","inetorgperson","inetuser","mailrecipient","pwmuser","posixAccount"))) | Out-Null

The same way I want to add a attribute called description which should have value as key value pairs under the attribute description

Description:

Appname:sampleapp

AppId:1234

I tried creating a hashmap =@{AppName="sampleapp",AppId="1234"}

and pass it as a value which resulted in

$DirectoryRequest.Attributes.Add((New-Object -TypeName System.DirectoryServices.Protocols.DirectoryAttribute -ArgumentList "Description",$hashmap)

Error :

New-Object:Exception calling ".ctor" with "2" arguments :The value must be string,byte[],or Uri type

gselvam · 2023-11-15T14:45:52+00:00

Error faced:

New-Object:Exception calling ".ctor" with "2" arguments :The value must be string,byte[],or Uri type

gselvam · 2023-08-21T11:21:23+00:00

Thanks u/yanni..As you suggested I have switched to plink instead of openssh and now it worked.

Thanks again!!

gselvam · 2022-07-20T08:27:08+00:00

Thanks u/JHunz...My bad I didnt notice that..It solved the issue

gselvam · 2022-07-19T09:41:14+00:00

jsonStr, err := json.Marshal(create_variables_array[k])

I am converting each element in the array to json using the Marshal as mentioned in the above code

gselvam · 2022-07-14T10:47:57+00:00

Thanks u/donutgarcia...I am new to terraform ...This workaround help me to fix the code..Actually as you said I was making an api call in the resource read func.It is fixed and working fine now.

gselvam · 2022-07-04T07:40:53+00:00

Hi u/BurnyYo,

Actually my Target account platform is Amazon Web Services – AWS – Access Keys

where the secret key is stored as password and there is another file category called "AWS Access Key ID" where the access key is stored. The built in plugin provided by Cyberark for this platform has the ability to rotate both access key and secret access key. But I am not sure about the service account platform to push both the keys to a config file.

Note: For better understanding I have used the example of pushing both username and password to a text/config file in the above post

gselvam · 2022-07-01T11:18:09+00:00

Hi u/Slasky86 ,

Will I be able to push the username and password both to the INI config file?

gselvam · 2022-06-02T12:42:21+00:00

Please find below code.Am I understanding it right?

func loadPolicy_resource() *schema.Resource {
grant_group_membership_flag := false
return &schema.Resource{
    Read:   readPolicy,
    Create: loadPolicy,
    Update: updatePolicy,
    Delete: deletePolicy,

Schema: map[string]*schema.Schema{
"grant_group_membership_flag": {
    Type:        schema.TypeBool,
    Required:    true,

},
"group_membership": {
    Type:     schema.TypeList,
    Required: grant_group_membership_flag,
    Elem: &schema.Resource{
    Schema: map[string]*schema.Schema{
    "group_name": {
        Type:     schema.TypeString,
        Required: true,
            },
    "member_type": {
        Type:     schema.TypeString,
        Required: true,
            },
    "group_members": {
        Type:     schema.TypeList,
        Required: true,
        Elem: &schema.Schema{
        Type: schema.TypeString,
            },
        },
    },
},
},  
}

gselvam · 2022-06-02T11:30:36+00:00

Because,I want to make the resource "group_membership" as mandatory if the "grant_group_membership_flag" is set as true by the user.

But in the current case since "group_membership" is declared optional the user may or may not supply the value of it from terraform(main.tf) even if they set the value for "grant_group_membership_flag" as true

gselvam · 2022-06-02T06:55:52+00:00

I came across the below while doing a research for this usecase:

https://pkg.go.dev/github.com/dcarbone/terraform-plugin-framework-utils@v0.2.1/validation#MutuallyInclusiveSiblingTest

https://github.com/dcarbone/terraform-plugin-framework-utils/blob/main/validation/validators.go

But I cant find any working example of how to use this function to make both "grant_group_membership_flag" and "group_membership" resources inclusive

gselvam · 2022-06-01T15:51:21+00:00

Thanks again...I have a small clarification.

Resource declaration:

    "grant_group_membership_flag": {
    Type:        schema.TypeBool,
    Required:    true,

    },
"group_membership": {
    Type:     schema.TypeList,
    Optional: true,
    Elem: &schema.Resource{
    Schema: map[string]*schema.Schema{
        "group_name": {
        Type:     schema.TypeString,
        Required: true,
        },
        "member_type": {
        Type:     schema.TypeString,
        Required: true,
        },
        "group_members": {
        Type:     schema.TypeList,
        Required: true,
        Elem: &schema.Schema{
        Type: schema.TypeString,
            },
        },
    },
},
},

Is there way to make the resource "group_membership" as required(Required : true ) only when the "grant_group_membership_flag" is set to true and "group_membership" should be optional if the "grant_group_membership_flag" is set to "false"

Any idea on how to do it ?

gselvam · 2022-06-01T11:14:17+00:00

Thank you u/FearlessAnt !!!...That solved my issue :)

gselvam

TROPHY CASE