Photo by regularguy.eth on Unsplash
SecretManagement.CyberArk: An extension for the SecretManagement PowerShell module
The SecretManagement PowerShell module provides a common interface to interact with a wide array of secret vaults enabled through SecretManagement extensions. There are a handful of SecretManagement extensions, including for Azure KeyVault, KeePass, and LastPass.
The SecretManagement
module supports having multiple secret vault types registered at the same time -- allowing you to access secrets in Azure KeyVault, KeePass, LastPass, etc. through the same cmdlets. The same secrets vault type can also be registered multiple times, allowing you to easily retrieve secrets from multiple KeePass databases.
SecretManagement.CyberArk is a SecretManagement extension that brings support to connecting to CyberArk using the Central Provider/Central Credential Provider (using CredentialRetriever) or REST API (using psPAS).
Using SecretManagement.CyberArk with the Central Credential Provider
The SecretManagement.CyberArk README provides the information we need to start working with the module.
The first step is to install and import both the Microsoft.PowerShell.SecretManagement
and SecretManagement.CyberArk
modules.
PS > Install-Module Microsoft.PowerShell.SecretManagement
PS > Install-Module SecretManagement.CyberArk
PS > Import-Module Microsoft.PowerShell.SecretManagement
PS > Import-Module SecretManagement.CyberArk
Next is to register a secret vault with the module SecretManagement.CyberArk
. We give it a name to refer to when working with a secret and specify that we want to use the Central Credential Provider and pass the relevant details in VaultParameters
.
PS > $VaultParameters = @{
ConnectionType = 'CentralCredentialProvider'
AppID = 'windowsScript'
URL = 'https://comp01'
SkipCertificateCheck = $true
}
PS > Register-SecretVault -Name CyberArk -ModuleName SecretManagement.CyberArk -VaultParameters $VaultParameters
Get-SecretInfo
returns information about a secret: the name of the account, the data type of the secret when using Get-Secret
and the SecretManagement
Vault the secret is found in.
It also returns a Metadata
property that shows information in CyberArk about the account.
PS > Get-SecretInfo -VaultName CyberArk -Filter windowsAdmin01
Name Type VaultName
---- ---- ---------
Operating System-ioSHARPWindowsDomainAccount-iosharp.lab-windowsAdmin01 SecureString CyberArk
PS > Get-SecretInfo -VaultName CyberArk -Filter windowsAdmin01 | Select-Object -ExpandProperty Metadata
Key Value
--- -----
PolicyID ioSHARPWindowsDomainAccount
Folder Root
LastTask ChangeTask
CreationMethod PVWA
Safe Windows
CPMStatus success
UserName windowsAdmin01
PasswordChangeInProcess False
Address 192.168.0.10
Name Operating System-ioSHARPWindowsDomainAccount-iosharp.lab-windowsAdmin01
LastSuccessVerification 1660836856
SequenceID 116
LastSuccessReconciliation 1660834970
DeviceType Operating System
LastSuccessChange 1660923260
RetriesCount -1
PS >
We retrieve the secret in a similar way through Get-Secret
, returned as a SecureString
.
PS > $Secret = Get-Secret -VaultName CyberArk -Name 'Operating System-ioSHARPWindowsDomainAccount-iosharp.lab-windowsAdmin01'
PS > $Secret.GetType()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False SecureString System.Object
PS > $Secret | ConvertFrom-SecureString -AsPlainText
UTyga8!ZOEDvPhQsrwlI(xjb2K$c
PS >
The SecretManagement module supports adding and removing secrets through Set-Secret
and Remove-Secret
however as the Central Provider and Central Credential Provider do not support this functionality, these two cmdlets are only implemented for the REST
ConnectionType.
Working with multiple SecretManagement.CyberArk
secret vaults
We can register multiple SecretManagement.CyberArk
secret vaults. These secret vaults can use different connection types.
PS > $TestEnvironmentVaultParameters = @{
ConnectionType = 'CredentialProvider'
AppID = 'linuxApp'
ClientPath = 'C:\Path\To\CLIPasswordSDK.exe'
}
PS > Register-SecretVault -Name CyberArkTest -ModuleName SecretManagement.CyberArk -VaultParameters $TestEnvironmentVaultParameters
PS > $ProductionEnvironmentVaultParameters = @{
ConnectionType = 'CentralCredentialProvider'
AppID = 'windowsScript'
URL = 'https://comp01'
}
PS > Register-SecretVault -Name CyberArkProduction -ModuleName SecretManagement.CyberArk -VaultParameters $ProductionEnvironmentVaultParameters
Executing Get-SecretVault
shows us all our register secret vaults and their names so we can specify which Vault to get the secret from.
PS > Get-SecretVault
Name ModuleName IsDefaultVault
---- ---------- --------------
CyberArkProduction SecretManagement.CyberArk False
CyberArkTest SecretManagement.CyberArk False
PS >
Conclusion
The SecretManagement.CyberArk
extension allows you to retrieve secrets from multiple CyberArk environments using different connection methods through the same cmdlets provided by the SecretManagement
module.
SecretManagement.CyberArk
can be found in the PowerShell Gallery. The code is available on GitHub.