SecretManagement.CyberArk: An extension for the SecretManagement PowerShell module

The SecretManagement PowerShell module provides a common interface to interact with a wide array of secret vaults enabled through SecretManagement extensions. There are a handful of SecretManagement extensions, including for Azure KeyVault, KeePass, and LastPass.

The SecretManagement module supports having multiple secret vault types registered at the same time -- allowing you to access secrets in Azure KeyVault, KeePass, LastPass, etc. through the same cmdlets. The same secrets vault type can also be registered multiple times, allowing you to easily retrieve secrets from multiple KeePass databases.

SecretManagement.CyberArk is a SecretManagement extension that brings support to connecting to CyberArk using the Central Provider/Central Credential Provider (using CredentialRetriever) or REST API (using psPAS).

Using SecretManagement.CyberArk with the Central Credential Provider

The SecretManagement.CyberArk README provides the information we need to start working with the module.

The first step is to install and import both the Microsoft.PowerShell.SecretManagement and SecretManagement.CyberArk modules.

PS > Install-Module Microsoft.PowerShell.SecretManagement
PS > Install-Module SecretManagement.CyberArk
PS > Import-Module Microsoft.PowerShell.SecretManagement
PS > Import-Module SecretManagement.CyberArk

Next is to register a secret vault with the module SecretManagement.CyberArk. We give it a name to refer to when working with a secret and specify that we want to use the Central Credential Provider and pass the relevant details in VaultParameters.

PS > $VaultParameters = @{
           ConnectionType       = 'CentralCredentialProvider'
           AppID                = 'windowsScript'
           URL                  = 'https://comp01'
           SkipCertificateCheck = $true
    }

PS > Register-SecretVault -Name CyberArk -ModuleName SecretManagement.CyberArk -VaultParameters $VaultParameters

Get-SecretInfo returns information about a secret: the name of the account, the data type of the secret when using Get-Secret and the SecretManagement Vault the secret is found in.

It also returns a Metadata property that shows information in CyberArk about the account.

PS > Get-SecretInfo -VaultName CyberArk -Filter windowsAdmin01
Name                                                                    Type         VaultName
----                                                                    ----         ---------
Operating System-ioSHARPWindowsDomainAccount-iosharp.lab-windowsAdmin01 SecureString CyberArk

PS > Get-SecretInfo -VaultName CyberArk -Filter windowsAdmin01 | Select-Object -ExpandProperty Metadata

Key                       Value
---                       -----
PolicyID                  ioSHARPWindowsDomainAccount
Folder                    Root
LastTask                  ChangeTask
CreationMethod            PVWA
Safe                      Windows
CPMStatus                 success
UserName                  windowsAdmin01
PasswordChangeInProcess   False
Address                   192.168.0.10
Name                      Operating System-ioSHARPWindowsDomainAccount-iosharp.lab-windowsAdmin01
LastSuccessVerification   1660836856
SequenceID                116
LastSuccessReconciliation 1660834970
DeviceType                Operating System
LastSuccessChange         1660923260
RetriesCount              -1

PS >

We retrieve the secret in a similar way through Get-Secret, returned as a SecureString.

PS > $Secret = Get-Secret -VaultName CyberArk -Name 'Operating System-ioSHARPWindowsDomainAccount-iosharp.lab-windowsAdmin01'
PS > $Secret.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    SecureString                             System.Object

PS > $Secret | ConvertFrom-SecureString -AsPlainText
UTyga8!ZOEDvPhQsrwlI(xjb2K$c
PS >

The SecretManagement module supports adding and removing secrets through Set-Secret and Remove-Secret however as the Central Provider and Central Credential Provider do not support this functionality, these two cmdlets are only implemented for the REST ConnectionType.

Working with multiple SecretManagement.CyberArk secret vaults

We can register multiple SecretManagement.CyberArk secret vaults. These secret vaults can use different connection types.

PS > $TestEnvironmentVaultParameters = @{
           ConnectionType = 'CredentialProvider'
           AppID          = 'linuxApp'
           ClientPath     = 'C:\Path\To\CLIPasswordSDK.exe'
      }

PS > Register-SecretVault -Name CyberArkTest -ModuleName SecretManagement.CyberArk -VaultParameters $TestEnvironmentVaultParameters
PS > $ProductionEnvironmentVaultParameters = @{
           ConnectionType       = 'CentralCredentialProvider'
           AppID                = 'windowsScript'
           URL                  = 'https://comp01'
     }

PS > Register-SecretVault -Name CyberArkProduction -ModuleName SecretManagement.CyberArk -VaultParameters $ProductionEnvironmentVaultParameters

Executing Get-SecretVault shows us all our register secret vaults and their names so we can specify which Vault to get the secret from.

PS > Get-SecretVault

Name               ModuleName                IsDefaultVault
----               ----------                --------------
CyberArkProduction SecretManagement.CyberArk False
CyberArkTest       SecretManagement.CyberArk False

PS >

Conclusion

The SecretManagement.CyberArk extension allows you to retrieve secrets from multiple CyberArk environments using different connection methods through the same cmdlets provided by the SecretManagement module.

SecretManagement.CyberArk can be found in the PowerShell Gallery. The code is available on GitHub.