cybr-cli

A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with CyberArk's suite of products.

Current products supported:

• CyberArk Privileged Access Manager (PAM)
• CyberArk Secrets Manager Central Credential Provider (CCP)
• CyberArk Conjur Secrets Manager Enterprise & Open Source
• CyberArk Cloud Entitlements Manager (Free trial)

Want to get dangerous quickly? Check out the example bash script at dev/add-delete-pas-application.sh.

Table of Contents

• Install
  • MacOS
  • Windows or Linux
  • AWS CloudShell
  • Install from Source
• Usage
  • Authenticating with authn-iam (AWS IAM Role Authentication)
  • Documentation
• Autocomplete
• Example Source Code
  • Logon to the PAS REST API Web Service
• Security
  • cybr safes add-member --role Role Permissions
• Testing
• Maintainers
• Contributions
• License

Install

MacOS

$ brew tap infamousjoeg/tap
$ brew install cybr-cli

Windows or Linux

Download from the Releases page.

AWS CloudShell

mkdir -p ~/.local/bin && \
curl --silent "https://api.github.com/repos/infamousjoeg/cybr-cli/releases/latest" |
    grep '"tag_name":' |
    sed -E 's/.*"([^"]+)".*/\1/' |
    xargs -I {}  curl -o ~/.local/bin/cybr -sOL "https://github.com/infamousjoeg/cybr-cli/releases/download/"{}'/linux_cybr' && \
chmod +x ~/.local/bin/cybr

Install from Source

$ git clone https://github.com/infamousjoeg/pas-api-go.git
$ ./install
$ cybr help

Usage

• $ cybr help for top-level commands list
• $ cybr [command] -h for specific command details and sub-commands list

Authenticating with authn-iam (AWS IAM Role Authentication)

Set the following environment variables:

• CONJUR_ACCOUNT - The Conjur account name
• CONJUR_APPLIANCE_URL - The URL of the Conjur service (e.g. https://conjur.example.com)
• CONJUR_AUTHN_LOGIN - The Host ID for the IAM role (e.g. host/cloud/aws/ec2/1234567890/ConjurAWSRoleEC2)
• CONJUR_AUTHENTICATOR - The authenticator ID (e.g. authn-iam)
• CONJUR_AUTHN_SERVICE_ID - The authenticator web service ID (e.g. prod)
• CONJUR_AWS_TYPE - The AWS type (e.g. ec2 or ecs or lambda)

Once environment variables are set, ensure no .conjurrc or .netrc exists in the user's home directory:

rm -f ~/.conjurrc ~/.netrc

Then run any command you wish to run within cybr conjur. Use the --help flag to see all available commands.

Documentation

All commands are documentated in the docs/ directory.

Autocomplete

The cybr CLI has a completion command that can be used to enable autocomplete for the CLI. The completion command is dependant on your shell type. Currently the only shells that are supported are: bash, zsh, fish and powershell.

Below is an example on how to enable cybr cli auto-completion from a zsh shell.

# enable shell completetion. Only needs to be performed once.
echo "autoload -U compinit; compinit" >> ~/.zshrc

# create and write the auto-completion script.
# ${fpath[1]} '1' may be different depending on your environment.
cybr completion zsh > "${fpath[1]}/_cybr"

If you are using a different shell execute the completion command with the --help flag and follow instructions for the desired shell type.

cybr completion --help

Example Source Code

Logon to the PAS REST API Web Service

package main

import (
	"fmt"
	"log"
	"os"

	pasapi "github.com/infamousjoeg/pas-api-go/pkg/cybr/api"
)

var (
	hostname = os.Getenv("PAS_BASE_URL")
	username = os.Getenv("PAS_USERNAME")
	password = os.Getenv("PAS_PASSWORD")
	authType = os.Getenv("PAS_AUTH_TYPE")
)

func main() {
	// Logon to PAS REST API Web Services
	token, errLogon := pasapi.Logon(hostname, username, password, authType, false)
	if errLogon != nil {
		log.Fatalf("Authentication failed. %s", errLogon)
	}
	fmt.Printf("Session Token:\r\n%s\r\n\r\n", token)
}

Security

If there is a security concern or bug discovered, please responsibly disclose all information to joe (dot) garcia (at) cyberark (dot) com.

cybr safes add-member --role Role Permissions

All safe member roles defined below are based on best practices and recommendations put forth by CyberArk's PAS Programs Office, creators of the CyberArk Blueprint for Identity Security.

Role	Safe Authorizations
BreakGlass	All authorizations except Authorize Password Requests
VaultAdmin	- List Accounts - View Audit Log - View Safe Members
SafeManager	- Manage Safe - Manage Safe Members - View Audit Log - View Safe Members - Access Safe w/o Confirmation
EndUser	- Use/Retrieve/List Accounts - View Audit Log - View Safe Members
Auditor	- List Accounts - View Audit Log - View Safe Members
AIMWebService	No authorizations
AppProvider	- Retrieve/List Accounts - View Safe Members
ApplicationIdentity	- Retrieve/List Accounts
AccountProvisioner	- List/Add/Delete Accounts - Update Password Properties - Initiate CPM Password Management Operations - View Audit Log - View Safe Members - Access Safe w/o Confirmation
CPDeployer	- List/Add Accounts - Update Password Properties - Initiate CPM Password Management Operations - Manage Safe Member - View Audit Log, View Safe Members - Access Safe w/o Confirmation
ComponentOrchestrator	- List/Add Accounts - Update Password Properties - Initiate CPM Password Management Operations - View Audit Log - Access Safe w/o Confirmation
APIAutomation	- List/Add/Rename/Delete/Unlock Accounts - Update Password Content/Properties - Initiate CPM Password Management Operations - Manage Safe - Manage Safe Members - View Audit Log - View Safe Members - Create/Delete Folders - Move Accounts/Folders
PasswordScheduler	- List Accounts - Initiate CPM Password Management Operation - View Audit Log - View Safe Members - Access Safe w/o Confirmation
ApproverLevel1	- List Accounts - View Audit Log - View Safe Members - Authorize Password Requests (Level 1)
ApproverLevel2	- List Acccounts - View Audit Log - View Safe Members - Authorize Password Requests (Level 2)

Testing

go test -v ./...

Maintainers

@infamousjoeg

@AndrewCopeland

Contributions

Pull Requests are currently being accepted. Please read and follow the guidelines laid out in CONTRIBUTING.md.

License

Apache 2.0