Integration ansible CCP and Cyberark

General
#1

Hi team…I have a playbook and i need to integrate CCP with ansible and Cyberark

The playbook is this:

(cyberark) root@lxanssatsrv01:~/SEGOS/altas$ cat creacionCyberarksrvcpamlx.yml

  • hosts: localhost
    become: false
    gather_facts: false

vars:
PVWA_url: “https://appwcybersrv01.rio.ar.bsch/
CCP_app_id: “ansiblerestapi”
AccountUser: “srvcpamlx”
AccountPass: “Desa238b”
AccountServer: “{{ node }}”
AccountSafe: “AR-LX-ADM-RECONCIL”
AccountPlatformId: “Linux-Auto-Reconcil”

tasks:

  • name: Central Credential Provider
    cyberark.pas.cyberark_credential:
    api_base_url: “https://appwcybersrv03.rio.ar.bsch/
    validate_certs: no
    app_id: “ansiblerestapi”
    query: “Object=Application-CyberArk-10.40.3.182-ansiblevaultuser”
    connection_timeout: 60
    query_format: Exact
    fail_request_on_password_change: True
    reason: “requesting credential for Ansible deployment”
    register: result

- name: print CCP resutl

debug:

msg: “{{ result.result.Content }}”

- name: Logon to CyberArk Vault using PAS Web Services SDK

vars:

VaultUser: “{{ result.result.UserName }}”

VaultUserPass: “{{ result.result.Content }}”

cyberark.pas.cyberark_authentication:

api_base_url: “{{ PVWA_url }}”

validate_certs: no

username: “{{ VaultUser }}”

password: “{{ VaultUserPass }}”

use_cyberark_authentication: yes

  • name: Logon to CyberArk Vault using PAS Web Services SDK - use_shared_logon_authentication
    vars:
    VaultUser: “{{ result.result.UserName }}”
    VaultUserPass: “{{ result.result.Content }}”
    cyberark.pas.cyberark_authentication:
    api_base_url: “https://appwcybersrv03.rio.ar.bsch/
    connection_number: 100
    validate_certs: no
    username: “{{ VaultUser }}”
    password: “{{ VaultUserPass }}”
    use_cyberark_authentication: yes

- name: print Logon result

debug:

msg: “{{ cyberark_session }}”

- name: Wait for service to come up…

pause:

seconds: 15

  • name: Creating an Account using the PAS WebServices SDK
    cyberark.pas.cyberark_account:
    logging_level: DEBUG
    identified_by: “address,username”
    safe: “{{ AccountSafe }}”
    address: “{{ AccountServer }}”
    username: “{{ AccountUser }}”
    platform_id: “{{ AccountPlatformId }}”
    secret: “{{ AccountPass }}”
    secret_management:
    automatic_management_enabled: true
    state: present
    cyberark_session: “{{ cyberark_session }}”
    validate_certs: no
    register: cyberarkaction

  • name: Print Account Creation Result
    debug:
    msg: “{{ cyberarkaction }}”

  • name: Rotate credential
    cyberark.pas.cyberark_account:
    identified_by: “address,username”
    safe: “{{ AccountSafe }}”
    address: “{{ AccountServer }}”
    username: “{{ AccountUser }}”
    platform_id: “{{ AccountPlatformId }}”
    secret_management:
    management_action: “change_immediately”
    automatic_management_enabled: true
    state: present
    cyberark_session: “{{ cyberark_session }}”
    register: cyberarkaction

  • name: Print Account Rotate Credential Result
    debug:
    msg: “{{ cyberarkaction }}”

  • name: Logoff from CyberArk Vault
    cyberark.pas.cyberark_authentication:
    state: absent
    cyberark_session: “{{ cyberark_session }}”

But i have an error in the output
2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 EPVPV005D Enter function: PVSession.FindObjectsEx - With Paging. Page Info: From Record 0 Max records 100 [Casos]
2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 Casos Session Request: FindFilesEX [Casos]
2022-07-14 11:23:32,534 ERROR [13] f01e52c9-f508-4da9-a905-ef81029c4941 CASTM006E Transaction failed because logon was not called with this Session Instance. (Vault [CAMainVault] safe [ar-lx-adm] user [ansiblevaultuser]) [Casos]
2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 Casos Session Request[FindFilesEX] ended. [Casos]
2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 CyberArk.Services.Exceptions.VaultConnectionEndedException: CASTM006E Transaction failed because logon was not called with this Session Instance.

2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 EPVPV005D Enter function: PVSession.FindObjectsEx - With Paging. Page Info: From Record 0 Max records 100 [Casos]
2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 Casos Session Request: FindFilesEX [Casos]
2022-07-14 11:23:32,534 ERROR [13] f01e52c9-f508-4da9-a905-ef81029c4941 CASTM006E Transaction failed because logon was not called with this Session Instance. (Vault [CAMainVault] safe [ar-lx-adm] user [ansiblevaultuser]) [Casos]
2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 Casos Session Request[FindFilesEX] ended. [Casos]
2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 CyberArk.Services.Exceptions.VaultConnectionEndedException: CASTM006E Transaction failed because logon was not called with this Session Instance.

2022-07-14 11:23:32,534 DEBUG [13] f01e52c9-f508-4da9-a905-ef81029c4941 GetAccounts failed CyberArk.Services.Exceptions.VaultConnectionEndedException: CASTM006E Transaction failed because logon was not called with this Session Instance.

2022-07-14 11:23:32,534 WARN [13] f01e52c9-f508-4da9-a905-ef81029c4941 GetAccounts Response:: Code: 401. Content: {“ErrorCode”:“CASTM006E”,“ErrorMessage”:“Transaction failed because logon was not called with this Session Instance.”} [AccountsController]
2022-07-14 11:23:32,534 INFO [13] f01e52c9-f508-4da9-a905-ef81029c4941 EndRequest /PasswordVault/api/accounts?filter=safeName%20eq%20AR-LX-ADM&search=pgredev0272.iaas.ar.bsch%20root | code: 401 [up]

It looks like I need to include the Session Instance in the API call to GetAccounts. can I try to add this myself in our own code or ansible playbook?

Regards ansh thanks!

#2

Hi @ifava,

This forum is specifically for Conjur and other open source projects. Please reach out to technical support with questions about PVWA. You can also try the CyberArk subreddit for community support.