Skip to content
Oct 27 / Greg

Cyberark Vault Integration With Ansible Tower

Cyberark has some impressive security tools, and in today’s example I’m using their Vault product. We are connecting in through their AIM(Application Identity Manager) system. Like other secrets engines, AIM allows me to pull secure credentials from it at run time. Also, I’d like to give a big shoutout to the team at CyberArk for providing us with this excellent demo environment!

Demo Video

CyberArk

First I create an application…honestly I was lazy and just used testappid.

Next you add authentication certificates to use with the app.

After this I browse to policies and hit access control. From here I add any safes that I need access to.

I then select the safe and edit the members list.

Add the app that needs access. I just wanted it to retrieve passwords, and not have any other access so, it only has retrieve.

After this I pop into the vault.

I open the safe in question. Here it’s “Test”.

I then create a password object. In my case it’s “ansible” and the password is redhat. **After this hit the Logoff button**

Tower Configuration

Tower has a custom credential lookup plugin to utilize CA AIM, which I’ll use as a lookup for other credentials.

First I add a new credential of type “CyberArk AIM Central Credential Provider Lookup”

Next I put in my CA AIM URL, application id(in this case testappid), the client key, and the client cert.

Now I create another standard credential of any type(in this instance I use a standard machine credential. For password I click the magnifying glass and it displays the Cyberark AIM credential I just created.

I now put in the object query based on the safe of Test and object of ansible.

1
safe=Test;object=ansible

Github Scripts

My CyberArk repo is here.

Here is a demo script using a custom credential to display the ansible password:

As you can see, all of the magic is done in the lookup plugin, so nothing special to show here; that’s what’s so cool about the lookup(it’s so simple and clean).

Here’s another version updating the backup user on some Cisco switches:

Conclusion

It was a bear to figure all of this out, but once you have your head wrapped around it, it’s really quite simple. I really like how clean it all is.

If you have any questions or comments, please let me know.
Thanks and happy CyberArking 😉

Leave a Comment

 

*