đź“śDocumentation
CyberArk's Official SDK and CLI for different services operations
- Extensive and Interactive CLI
- Different Authenticators
- Identity Authentication Methods
- MFA Support for Identity
- Identity Security Platform
- Ready to use SDK in Golang
- Fully Interactive CLI comprising of 3 main actions
- Configure
- Login
- Exec
- Services API
- SIA SSO Service
- SIA K8S Service
- SIA VM Secrets Service
- SIA DB Secrets Service
- SIA Target Sets Workspace Service
- SIA Access Service
- Connector Manager Service
- PCloud Accounts Service
- PCloud Safes Service
- Identity Directories Service
- Identity Roles Service
- Identity Users Service
- Filesystem Inputs and Outputs for the CLI
- Silent and Verbose logging
- Profile Management and Authentication Caching
One can install the SDK via the following command:
go install github.com/cyberark/ark-sdk-golangBoth the SDK and the CLI works with profiles
The profiles can be configured upon need and be used for the consecutive actions
The CLI has the following basic commands:
- configure - Configures profiles and their respective authentication methods
- login - Logs into the profile authentication methods
- exec - Executes different commands based on the supported services
- profiles - Manage multiple profiles on the machine
- cache - Manage the cache of the authentication methods
The configure command is used to create a profile to work on
The profile consists of infomration regarding which authentication methods to use and what are their method settings, along with other related information such as MFA
How to run:
ark configureThe profiles are saved to ~/.ark_profiles
No arguments are required, and interactive questions will be asked
If you wish to only supply arguments in a silent fashion, --silent can be added along with the arugments
Usage:
Configure the CLI
Usage:
ark configure [flags]
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
-h, --help help for configure
--isp-auth-method string Authentication method for Identity Security Platform (default "default")
--isp-identity-application string Identity Application
--isp-identity-authorization-application string Service User Authorization Application
--isp-identity-mfa-interactive Allow Interactive MFA
--isp-identity-mfa-method string MFA Method to use by default [pf, sms, email, otp]
--isp-identity-tenant-subdomain string Identity Tenant Subdomain
--isp-identity-url string Identity Url
--isp-username string Username
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--profile-description string Profile Description
--profile-name string The name of the profile to use
--raw Whether to raw output
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose log
--work-with-isp Whether to work with Identity Security Platform servicesThe login command is used to login to the authentication methods configured for the profile
You will be asked to write a password for each respective authentication method that supports password, and alongside that, any needed MFA prompt
Once the login is done, the access tokens are stored on the computer keystore for their lifetime
Once they are expired, a consecutive login will be required
How to run:
ark loginUsage:
Login to the system
Usage:
ark login [flags]
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
--force Whether to force login even though token has not expired yet
-h, --help help for login
--isp-secret string Secret to authenticate with to Identity Security Platform
--isp-username string Username to authenticate with to Identity Security Platform
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--no-shared-secrets Do not share secrets between different authenticators with the same username
--profile-name string Profile name to load (default "ark")
--raw Whether to raw output
--refresh-auth If a cache exists, will also try to refresh it
--show-tokens Print out tokens as well if not silent
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose logNotes:
- You may disable certificate validation for login to different authenticators using the --disable-certificate-verification or supply a certificate to be used, not recommended to disable
The exec command is used to execute various commands based on supported services for the fitting logged in authenticators
The following services and commands are supported:
- sia - Secure Infrastructure Access Services
- sso - SIA SSO Management
- k8s - SIA K8S Management
- workspaces - SIA Workspaces Management
- target-sets - SIA VM Target Sets Management
- secrets - SIA Secrets Management
- vm - SIA VM Secrets Management
- access - SIA Access Management
- cmgr - Connector Manager
- pcloud - PCloud Service
- accounts - PCloud Accounts Management
- safes - PCloud Safes Management
- identity - Identity Service
- directories - Identity Directories Management
- roles - Identity Roles Management
- users - Identity Users Management
Any command has its own subcommands, with respective arguments
For example, generating a short lived password
ark exec sia sso short-lived-passwordAdd SIA VM Target Set
ark exec sia workspaces target-sets add-target-set --name mydomain.com --type DomainAdd SIA VM Secret
ark exec sia secrets vm add-secret --secret-type ProvisionerUser --provisioner-username=myuser --provisioner-password=mypasswordList connector pools
ark exec exec cmgr list-poolsGet connector installation script
ark exec sia access connector-setup-script --connector-type ON-PREMISE --connector-os windows --connector-pool-id 588741d5-e059-479d-b4c4-3d821a87f012Create a PCloud Safe
ark exec pcloud safes add-safe --safe-name=safeCreate a PCloud Account
ark exec pcloud accounts add-account --name account --safe-name safe --platform-id='UnixSSH' --username root --address 1.2.3.4 --secret-type=password --secret mypassRetrieve a PCloud Account Credentials
ark exec pcloud accounts get-account-credentials --account-id 11_1Create an Identity User
ark exec identity users create-user --roles "DpaAdmin" --username "myuser"Create an Identity Role
ark exec identity roles create-role --role-name myroleList all directories identities
ark exec identity directories list-directories-entitiesAdd SIA Database Secret
ark exec sia secrets db add-secret --secret-name mysecret --secret-type username_password --username user --password mypassDelete SIA Database Secret
ark exec sia secrets db delete-secret --secret-name mysecretAdd SIA database
ark exec sia workspaces db add-database --name mydatabase --provider-engine aurora-mysql --read-write-endpoint myrds.comDelete SIA database
ark exec sia workspaces db delete-database --id databaseidYou can view all of the commands via the --help for each respective exec action
Notes:
- You may disable certificate validation for login to different authenticators using the --disable-certificate-verification or supply a certificate to be used, not recommended to disable
Usafe Env Vars:
- ARK_PROFILE - Sets the profile to be used across the CLI
- ARK_DISABLE_CERTIFICATE_VERIFICATION - Disables certificate verification on REST API's
As one may have multiple environments to manage, this would also imply that multiple profiles are required, either for multiple users in the same environment or multiple tenants
Therefore, the profiles command manages those profiles as a convenice set of methods
Using the profiles as simply running commands under:
ark profilesUsage:
Manage profiles
Usage:
ark profiles [command]
Available Commands:
add Add a profile from a given path
clear Clear all profiles
clone Clone a profile
delete Delete a specific profile
edit Edit a profile interactively
list List all profiles
show Show a profile
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
-h, --help help for profiles
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--raw Whether to raw output
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose log
Use "ark profiles [command] --help" for more information about a command.Use the cache command to manage the Ark data cached on your machine. Currently, you can only clear the filesystem cache (not data cached in the OS's keystore).
Using the cache as simply running commands under:
ark cacheUsage:
Manage cache
Usage:
ark cache [command]
Available Commands:
clear Clears all profiles cache
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
-h, --help help for cache
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--raw Whether to raw output
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose log
Use "ark cache [command] --help" for more information about a command.As well as using the CLI, one can also develop under the ark sdk using its API / class driven design
The same idea as the CLI applies here as well
Let's say we want to generate a short lived password from the code
To do so, we can use the following script:
package main
import (
"fmt"
"github.com/cyberark/ark-sdk-golang/pkg/auth"
authmodels "github.com/cyberark/ark-sdk-golang/pkg/models/auth"
ssomodels "github.com/cyberark/ark-sdk-golang/pkg/models/services/sia/sso"
"github.com/cyberark/ark-sdk-golang/pkg/services/sia/sso"
"os"
)
func main() {
// Perform authentication using ArkISPAuth to the platform
// First, create an ISP authentication class
// Afterwards, perform the authentication
ispAuth := auth.NewArkISPAuth(false)
_, err := ispAuth.Authenticate(
nil,
&authmodels.ArkAuthProfile{
Username: "user@cyberark.cloud.12345",
AuthMethod: authmodels.Identity,
AuthMethodSettings: &authmodels.IdentityArkAuthMethodSettings{},
},
&authmodels.ArkSecret{
Secret: os.Getenv("ARK_SECRET"),
},
false,
false,
)
if err != nil {
panic(err)
}
// Create an SSO service from the authenticator above
ssoService, err := sso.NewArkSIASSOService(ispAuth)
if err != nil {
panic(err)
}
// Generate a short-lived password
ssoPassword, err := ssoService.ShortLivedPassword(
&ssomodels.ArkSIASSOGetShortLivedPassword{},
)
if err != nil {
panic(err)
}
fmt.Printf("%s\n", ssoPassword)
}More examples can be found in the examples folder
This project is licensed under Apache License 2.0 - see LICENSE for more details
Copyright (c) 2025 CyberArk Software Ltd. All rights reserved.