pyAIM
CyberArk Application Access Manager Client Library for Python 3
This project simplifies the interaction between a Python 3 application or script and CyberArk's Application Access Manager's Credential Provider using the appropriate CLIPasswordSDK executable for the Operating System being used. By simplifying this process, developers are only required to change four (4) lines of code in their Python 3 applications and scripts to securely retrieve privileged secrets from CyberArk's Privileged Access Security (PAS) Core Solution as opposed to thirty or more (30+) without the use of this provided Client Library.
New in Version 1.5.0:
- Added support for
timeoutwhen intializing the CCPPasswordREST() class. - Added support for
delimiterparameter inGetPassword()method for Credential Provider (CLIPasswordSDK) method. - Added support for Client Certificate Authentication in
GetPassword()method for Centralized Credential Provider (CCPPasswordREST) method.
Table of Contents
- Install
- Usage
- Maintainer
- Contributing
- License
Install
Credential Provider (CLIPasswordSDK) Method
- CyberArk Application Access Manager Credential Provider installed locally.
Centralized Credential Provider (CCPPasswordREST) Method
- CyberArk Application Access Manager Centralized Credential Provider and AIMWebService
For information on how to install either of these providers, please refer to CyberArk's Application Access Manager Installation Guide or reach out to your assigned Customer Success Technical Advisor.
Windows
Install Latest Python 3
Install the Python 3 release for Windows
Install pyAIM via Pip
> pip3 install pyaim
Linux
Ubuntu/Debian
Install Latest Python 3
$ sudo apt install -y python3 python3-pip
Install pyAIM via Pip
$ pip3 install pyaim
RHEL/CentOS
Install Latest Python 3
RHEL
Follow the EPEL Documentation to ensure you have the EPEL Release repository available.
$ sudo yum install -y https://rhel7.iuscommunity.org/ius-release.rpm
$ sudo yum update
$ sudo yum install -y python36u python36u-libs python36u-devel python36u-pip
CentOS
$ sudo yum install -y https://centos7.iuscommunity.org/ius-release.rpm
$ sudo yum update
$ sudo yum install -y python36u python36u-libs python36u-devel python36u-pip
Install pyAIM via Pip
$ pip3 install pyaim
MacOS
No support provided yet.
Z/OS
pyAIM is untested on Z/OS but should work in theory.
Install Latest Python 3
Rocket Software has ported Python 2 and 3 for Z/OS
Install pyAIM via Pip
$ pip3 install pyaim
Usage
Check AIMWebService Availability - check_service()
Centralized Credential Provider (CCPPasswordREST) Method
from pyaim import CCPPasswordREST
aimccp = CCPPasswordREST('https://ccp.cyberarkdemo.example', verify=True) # set verify=False to ignore SSL
service_status = aimccp.check_service()
print(service_status)Retrieve Account - GetPassword()
Credential Provider (CLIPasswordSDK) Method
Supported Parameters
Query Parameters
- appid (required)
- safe (required)
- folder (default: root)
- object (this or
usernamerequired) - username (this or
objectrequired) - address
- database
- policyid
- reason
- query_format (default: 1)
- connport
- sendhash (default: False)
- output (default: Password)
- delimiter (default: ,)
- dual_accounts (default: False)
For compatibility with Dual Accounts where you are referencing a VirtualUsername - use the username parameter and ensure dual_accounts=True.
Example
from pyaim import CLIPasswordSDK
aimcp = CLIPasswordSDK('/opt/CARKaim/sdk/clipasswordsdk')
response = aimcp.GetPassword(appid='appID',safe='safeName',object='objectName',output='PassProps.Username,Password',delimiter='|')
print('Full Response: {}'.format(response))
print('Username: {}'.format(response['PassProps.Username']))
print('Password: {}'.format(response['Password']))Centralized Credential Provider (CCPPasswordREST) Method
Supported Parameters
CCPPasswordREST()
- url (required)
- verify (default: True)
- cert (default: None)
- timeout (default: 30)
Query Parameters
- appid (required)
- safe (required)
- folder (default: root)
- object (this or
usernamerequired) - username (this or
objectrequired) - address
- database
- policyid
- reason
- query_format (default: exact)
- dual_accounts (default: False)
For compatibility with Dual Accounts where you are referencing a VirtualUsername - use the username parameter and ensure dual_accounts=True.
Example
from pyaim import CCPPasswordREST
aimccp = CCPPasswordREST('https://ccp.cyberarkdemo.example', verify=True, timeout=10) # set verify=False to ignore SSL
service_status = aimccp.check_service()
if service_status == 'SUCCESS: AIMWebService Found. Status Code: 200':
response = aimccp.GetPassword(appid='appid',safe='safe',object='objectName',reason='Reason message')
print('Full Python Object: {}'.format(response))
print('Username: {}'.format(response['Username']))
print('Password: {}'.format(response['Content']))
else:
raise Exception(service_status)Example with Client Certificate Authentication
from pyaim import CCPPasswordREST
aimccp = CCPPasswordREST('https://ccp.cyberarkdemo.example', verify=True, cert=('/path/to/cert.pem', '/path/to/key.pem')) # set verify=False to ignore SSL
...Maintainer
Contributing
Contributions are open! Check out CONTRIBUTING.md for more details!
![dependabot-preview[bot]](https://avatars.githubusercontent.com/u/27856297?size=120)
![dependabot[bot]](https://avatars.githubusercontent.com/u/49699333?size=120)