Tech Blog.

Thoughts, stories, ideas.

Pyark – CyberArk Enterprise Password Vault CLI Tool

12. December 2017

Various companies currently rely on the proprietary Enterprise Password Vault from CyberArk to securely manage sensitive access information, certificates and SSH keys. This software allows, for example, user IDs and passwords for an application to be stored through a web interface.

But in an age when automation, provisioning and configuration management are cornerstones of every optimised IT infrastructure, manually storing sensitive information via web interface is no longer a viable strategy.

Accordingly, proper APIs are also an essential “state of the art” feature of any major web application. Because without an API, many processes cannot even be automated and optimised.

CyberArk’s Password Vault also allows certain processes to be implemented via API. However, in terms of quality, their API leaves much to be desired, and various API endpoints are still not available. On the other hand account management is already working smoothly; for example, credentials can be easily stored automatically in the digital vault during an OS installation.

That’s why we’ve written the CLI tool Pyark, which is freely available on GitHub under the GPLv3.

Pyark

Pyark is a python-based utility which simplifies interaction with the Password Vault API. The tool is easy to integrate into existing processes and saves a lot of unnecessary curl hacks.

One potential application is for storing the root password during the automated installation of a Linux distribution. For distributions from the RedHat family, the script can for example be implemented as a Kickstart post-task in order to securely store the root password.

At this point, you might be asking yourself why an additional tool is even necessary when we have utilities like curl? Unfortunately, the problem cannot be solved by a curl one-liner, because the API is structured in such a way that authentication has to be performed first. In other words, there is an initial step in which the username and password of the service account are sent to the API. If CyberArk is able to authenticate the user, you get a token back in the CyberArkLogonResult HTTP header. This token must be used for all subsequent requests. So any errors or authentication problems have to be handled, and the token also has to be extracted from the HTTP header, which is not exactly a snap with curl.

Pyark currently supports the following functions:

  • Get accounts
  • Create accounts
  • Delete accounts

Note that a current version of the Password Vault must be installed. Otherwise, it is possible that the corresponding API endpoints have not yet been integrated. To do this, it is best to request the right API reference documentation from the vendor and check if the endpoints are available.

Installation

The installation is quite simple. You can either clone the GitHub repository and run setup.py or install Pyark directly from the internet with pip install pyark. Of course, if need be, you can also just copy and run the __init__.py.

Examples

Below are three examples of how an account can be read out, created and deleted.

  • Get account:
    $ pyark --base https://vault.example.com 
        --apiuser foobar                 
        --apipassword supersecret42      
        account get                      
        --safe MySafe                    
        --keywords bruce
  • Create account:
    $ pyark --base https://vault.example.com 
        --apiuser foobar                 
        --apipassword supersecret42      
        account create                   
        --safe MySafe                    
        --platformid TestPlatform        
        --accountname brucewayne         
        --address batcave.example.com    
        --username brucew                
        --password d4rkkn1ght
  • Delete account:
    $ pyark --base https://vault.example.com 
        --apiuser foobar                 
        --apipassword supersecret42      
        account delete                   
        --safe MySafe                    
        --accountname brucewayne         
        --keywords bruce