VhQ*ddlmZmZmZeZddgddZdZdZdZ dd l m Z dd l m Z dd lmZdd lmZdd lmZddlmZddlZdZdZedk(reyy))absolute_importdivisionprint_functionz1.1preview community)metadata_versionstatus supported_byaa --- module: cyberark_credential short_description: Credential retrieval using AAM Central Credential Provider. author: - Edward Nunez (@enunez-cyberark) - CyberArk BizDev (@cyberark-bizdev) - Erasmo Acosta (@erasmix) - James Stutes (@JimmyJamCABD) version_added: '1.0.0' description: - Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault. The request uses the Privileged Account Security Web Services SDK through the Central Credential Provider by requesting access with an Application ID. options: api_base_url: type: str required: true description: - A string containing the base URL of the server hosting the Central Credential Provider. validate_certs: type: bool required: false default: true description: - If C(false), SSL certificate chain will not be validated. This should only set to C(true) if you have a root CA certificate installed on each node. app_id: type: str required: true description: - A string containing the Application ID authorized for retrieving the credential. query: type: str required: true description: - A string containing details of the object being queried; - Possible parameters could be Safe, Folder, Object - (internal account name), UserName, Address, Database, - PolicyID. connection_timeout: type: int required: false default: '30' description: - An integer value of the allowed time before the request returns failed. query_format: type: str required: false default: Exact choices: [Exact, Regexp] description: - The format for which your Query will be received by the CCP. fail_request_on_password_change: type: bool required: false default: false description: - A boolean parameter for completing the request in the middle of a password change of the requested credential. client_cert: type: str required: false description: - A string containing the file location and name of the client certificate used for authentication. client_key: type: str required: false description: - A string containing the file location and name of the private key of the client certificate used for authentication. reason: type: str required: false description: - Reason for requesting credential if required by policy; - It must be specified if the Policy managing the object - requires it. a - name: credential retrieval basic cyberark.pas.cyberark_credential: api_base_url: "http://10.10.0.1" app_id: "TestID" query: "Safe=test;UserName=admin" register: result - name: credential retrieval advanced cyberark.pas.cyberark_credential: api_base_url: "https://components.cyberark.local" validate_certs: true client_cert: /etc/pki/ca-trust/source/client.pem client_key: /etc/pki/ca-trust/source/priv-key.pem app_id: "TestID" query: "Safe=test;UserName=admin" connection_timeout: 60 query_format: Exact fail_request_on_password_change: true reason: "requesting credential for Ansible deployment" register: result a changed: description: - Identify if the playbook run resulted in a change to the account in any way. returned: always type: bool failed: description: Whether playbook run resulted in a failure of any kind. returned: always type: bool status_code: description: Result HTTP Status code. returned: success type: int sample: "200, 201, -1, 204" result: description: A json dump of the resulting action. returned: success type: complex contains: Address: description: The target address of the credential being queried type: str returned: if required Content: description: The password for the object being queried type: str returned: always CreationMethod: description: This is how the object was created in the Vault type: str returned: always DeviceType: description: - An internal File Category for more granular management of Platforms. type: str returned: always Folder: description: - The folder within the Safe where the credential is stored. type: str returned: always Name: description: - The Cyberark unique object ID of the credential being queried. type: str returned: always PasswordChangeInProcess: description: If the password has a change flag placed by the CPM type: bool returned: always PolicyID: description: Whether or not SSL certificates should be validated. type: str returned: if assigned to a policy Safe: description: The safe where the queried credential is stored type: str returned: always Username: description: The username of the credential being queried type: str returned: if required LogonDomain: description: The Address friendly name resolved by the CPM type: str returned: if populated CPMDisabled: description: - A description of why this vaulted credential is not being managed by the CPM. type: str returned: if CPM management is disabled and a reason is given )to_text) AnsibleModule)open_url) HTTPError)quote) HTTPExceptionNc |jd}|jd}|jd}|jd}|jd}|jd}|jd}d}d} d} d |jvr|jd }d |jvr|jd } d |jvr|jd } | d t|d t|d|d|d| } d|jvr/|jd t|jd} | d| zz} d} d} t|| zd||| }|jdk(r6 tj|j} | |jfS|j d| zy#ttf$r8}|j d|| dt ||jYd}~d}~wt$r.}|j d|| dt |dYd}~d}~wwxYw#t$r)}|j dt |zdYd}~d}~wwxYw)N api_base_urlvalidate_certsapp_idqueryconnection_timeout query_formatfail_request_on_password_changez/AIMWebService/api/Accounts client_cert client_keypathz?AppId=z&Query=z&ConnectionTimeout=z &QueryFormat=z&FailRequestOnPasswordChange=reasonz &reason=%sGET)methodrrrzError while retrieving credential.Please validate parameters provided, and permissions for the application and provider in CyberArk. *** end_point=z ==> )msg status_codez9Unknown error while retrieving credential. *** end_point= z9Error obtain cyberark credential result from http body %szerror in end_point=>)r) paramsrr rr fail_jsonr code Exceptiongetcodejsonloadsread)modulerrrrrrrrrr end_pointrresultresponsehttp_exceptionunknown_exceptionexcs t/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_credential.pyretrieve_credentialr4sy==0L]]#34N ]]8 $F MM' "E';<==0L&,mm4U&V#KJ (D %mmM2 v}}$]]<0  }}V$  f  e ' I6== V]]8%<%Hv}}X./ v 55 FH   9 $)#!  @S  ZZ 0F((*++ 3i?@O } %    GN,C E '++      G4E,FH         T3<!    s<.F #H H/.G"" H.$HH I(I  Ic dddddddddddddddddddd gdd dd ddd dd ddd ddddd }t|d}t|\}}|jd||y)NTstr)requiredtypeFint)r7r8defaultExactRegexp)r7r8choicesr;bool)r8r;)r8r7)r8r7no_log) rrrrrrrrrr) argument_specsupports_check_mode)changedr.r )r r4 exit_json)fieldsr,r.r s r3mainrF4s&*59#U3"E2$e4+0%BO*  , $*d; %59$%4H'F,T JF/7V[ U6{K__main__) __future__rrrr8 __metaclass__ANSIBLE_METADATA DOCUMENTATIONEXAMPLESRETURNansible.module_utils._textr ansible.module_utils.basicr ansible.module_utils.urlsr +ansible.module_utils.six.moves.urllib.errorr+ansible.module_utils.six.moves.urllib.parser*ansible.module_utils.six.moves.http_clientrr)r4rF__name__rGr3rWs| CB k U n .L \/4.A=D \A~L> zFrG