Awesome
cybr-cli <!-- omit in toc -->
A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with CyberArk's suite of products.
Current products supported:
- CyberArk Identity Security Platform Shared Services (ISPSS)
- CyberArk Privilege Cloud SaaS
- CyberArk Self-Hosted Privileged Access Manager (PAM)
- CyberArk Secrets Manager Central Credential Provider (CCP)
- CyberArk Conjur Secrets Manager Enterprise & Open Source
- CyberArk Cloud Entitlements Manager (Free trial)
Want to get dangerous quickly? Check out the example bash script at dev/add-delete-pas-application.sh.
Table of Contents <!-- omit in toc -->
Install
MacOS
$ brew tap infamousjoeg/tap
$ brew install cybr-cli
Windows
$ winget install InfamousJoeG.cybr-cli
Linux
Download from the Releases page.
AWS CloudShell
mkdir -p ~/.local/bin && \
curl --silent "https://api.github.com/repos/infamousjoeg/cybr-cli/releases/latest" |
grep '"tag_name":' |
sed -E 's/.*"([^"]+)".*/\1/' |
xargs -I {} curl -o ~/.local/bin/cybr -sOL "https://github.com/infamousjoeg/cybr-cli/releases/download/"{}'/linux_cybr' && \
chmod +x ~/.local/bin/cybr
Install from Source
$ git clone https://github.com/infamousjoeg/pas-api-go.git
$ make install
$ cybr help
Usage
$ cybr help
for top-level commands list$ cybr [command] -h
for specific command details and sub-commands list
Authenticating with authn-iam (AWS IAM Role Authentication)
Set the following environment variables:
CONJUR_ACCOUNT
- The Conjur account nameCONJUR_APPLIANCE_URL
- The URL of the Conjur service (e.g. https://conjur.example.com)CONJUR_AUTHN_LOGIN
- The Host ID for the IAM role (e.g.host/cloud/aws/ec2/1234567890/ConjurAWSRoleEC2
)CONJUR_AUTHENTICATOR
- The authenticator ID (e.g.authn-iam
)CONJUR_AUTHN_SERVICE_ID
- The authenticator web service ID (e.g.prod
)CONJUR_AWS_TYPE
- The AWS type (e.g.ec2
orecs
orlambda
)
Once environment variables are set, ensure no .conjurrc or .netrc exists in the user's home directory:
rm -f ~/.conjurrc ~/.netrc
Then run any command you wish to run within cybr conjur
. Use the --help
flag to see all available commands.
Authenticating to Privilege Cloud via ISPSS (Identity)
You will need to know the following information to authenticate to Privilege Cloud via ISPSS:
* -b, --base-url
- The base URL of CyberArk Cloud (e.g. https://example.cyberark.cloud or https://example.privilegecloud.cyberark.cloud)
* -u, --username
- The username of the Privilege Cloud user (e.g. joe.garcia@cyberark.cloud.1234)
Password Authentication
$ cybr logon -u joe.garcia@cyberark.cloud.1234 -a identity -b https://example.cyberark.cloud
+ Challenge #1
Enter password:
After providing the password, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.
MFA Authentication
If MFA is required, the CLI will prompt for the challenge method to use out of those available:
$ cybr logon -u joe.garcia@cyberark.cloud.1234 -a identity -b https://example.cyberark.cloud
+ Challenge #1
Enter password:
+ Challenge #2
1. Email... @joe-garcia.com
2. SMS... XXX-1234
> 2
Enter code: 12341234
After providing the MFA code, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.
Documentation
All commands are documentated in the docs/ directory.
Autocomplete
The cybr
CLI has a completion
command that can be used to enable autocomplete for the CLI.
The completion command is dependant on your shell type. Currently the only shells that are supported are: bash, zsh, fish and powershell.
Below is an example on how to enable cybr
cli auto-completion from a zsh shell.
# enable shell completetion. Only needs to be performed once.
echo "autoload -U compinit; compinit" >> ~/.zshrc
# create and write the auto-completion script.
# ${fpath[1]} '1' may be different depending on your environment.
cybr completion zsh > "${fpath[1]}/_cybr"
If you are using a different shell execute the completion
command with the --help
flag and follow instructions for the desired shell type.
cybr completion --help
Example Source Code
Logon to the PAS REST API Web Service
package main
import (
"fmt"
"log"
"os"
pasapi "github.com/infamousjoeg/pas-api-go/pkg/cybr/api"
)
var (
hostname = os.Getenv("PAS_BASE_URL")
username = os.Getenv("PAS_USERNAME")
password = os.Getenv("PAS_PASSWORD")
authType = os.Getenv("PAS_AUTH_TYPE")
)
func main() {
// Logon to PAS REST API Web Services
token, errLogon := pasapi.Logon(hostname, username, password, authType, false)
if errLogon != nil {
log.Fatalf("Authentication failed. %s", errLogon)
}
fmt.Printf("Session Token:\r\n%s\r\n\r\n", token)
}
Security
If there is a security concern or bug discovered, please responsibly disclose all information to joe (dot) garcia (at) cyberark (dot) com.
cybr safes add-member --role
Role Permissions
All safe member roles defined below are based on best practices and recommendations put forth by CyberArk's PAS Programs Office, creators of the CyberArk Blueprint for Identity Security.
Role | Safe Authorizations |
---|---|
BreakGlass | All authorizations except Authorize Password Requests |
VaultAdmin | - List Accounts<br>- View Audit Log<br>- View Safe Members |
SafeManager | - Manage Safe<br>- Manage Safe Members<br>- View Audit Log<br>- View Safe Members<br>- Access Safe w/o Confirmation |
EndUser | - Use/Retrieve/List Accounts<br>- View Audit Log<br>- View Safe Members |
Auditor | - List Accounts<br>- View Audit Log<br>- View Safe Members |
AIMWebService | No authorizations |
AppProvider | - Retrieve/List Accounts<br>- View Safe Members |
ApplicationIdentity | - Retrieve/List Accounts |
AccountProvisioner | - List/Add/Delete Accounts<br>- Update Password Properties<br>- Initiate CPM Password Management Operations<br>- View Audit Log<br>- View Safe Members<br>- Access Safe w/o Confirmation |
CPDeployer | - List/Add Accounts<br>- Update Password Properties<br>- Initiate CPM Password Management Operations<br>- Manage Safe Member<br>- View Audit Log, View Safe Members<br>- Access Safe w/o Confirmation |
ComponentOrchestrator | - List/Add Accounts<br>- Update Password Properties<br>- Initiate CPM Password Management Operations<br>- View Audit Log<br>- Access Safe w/o Confirmation |
APIAutomation | - List/Add/Rename/Delete/Unlock Accounts<br>- Update Password Content/Properties<br>- Initiate CPM Password Management Operations<br>- Manage Safe<br>- Manage Safe Members<br>- View Audit Log<br>- View Safe Members<br>- Create/Delete Folders<br>- Move Accounts/Folders |
PasswordScheduler | - List Accounts<br>- Initiate CPM Password Management Operation<br>- View Audit Log<br>- View Safe Members<br>- Access Safe w/o Confirmation |
ApproverLevel1 | - List Accounts<br>- View Audit Log<br>- View Safe Members<br>- Authorize Password Requests (Level 1) |
ApproverLevel2 | - List Acccounts<br>- View Audit Log<br>- View Safe Members<br>- Authorize Password Requests (Level 2) |
Testing
To vet the code, run make vet
.
To test the code, run make test
.
To run all tests, run make test-all
.
Maintainers
Contributions
Pull Requests are currently being accepted. Please read and follow the guidelines laid out in CONTRIBUTING.md.