Skip to content

Instantly share code, notes, and snippets.

@JimmyJamTQBD

JimmyJamTQBD/Client_Cert Cred Type.yml

Last active April 1, 2020 13:08
Show Gist options
  • Save JimmyJamTQBD/cc8f7375f96702c2b1c02cc5de383535 to your computer and use it in GitHub Desktop.
Save JimmyJamTQBD/cc8f7375f96702c2b1c02cc5de383535 to your computer and use it in GitHub Desktop.
Download ZIP
Ansible Tower Playbooks for retrieving credentials from Cyberark Vault to authenticate to hosts
Raw
Client_Cert Cred Type.yml
fields:
- label: CyberArk Client Certificate
secret: true
multiline: true
help_text: Paste the contents of the client certificate for CyberArk authentication
type: string
id: cyberark_client_cert
required:
- cyberark_client_cert
---
# Click the YAML option for the INJECTOR CONFIGURATION box and enter the following:
extra_vars:
CYBERARK_CLIENT_CERT: '{{ tower.filename }}'
file:
template: '{{ cyberark_client_cert }}'
Raw
Private_key Cred Type.yml
fields:
- label: CyberArk Private Key
secret: true
multiline: true
help_text: Paste the contents of the private key for CyberArk authentication
type: string
id: cyberark_priv_key
required:
- cyberark_priv_key
---
# Click the YAML option for the INJECTOR CONFIGURATION box and enter the following:
extra_vars:
CYBERARK_PRIV_KEY: '{{ tower.filename }}'
file:
template: '{{ cyberark_priv_key }}'
Raw
set_secret_base.yml
---
- hosts: all
roles:
- role: cyberark.modules
tasks:
- cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: no
client_cert: "{{ CYBERARK_CLIENT_CERT }}"
client_key: "{{ CYBERARK_PRIV_KEY }}"
app_id: "app_ansible"
query: "safe=Linux Root Accounts;folder=root;UserName=root;address={{ inventory_hostname }}"
reason: "Testing Ansible Playbook"
register: cyberark_response
delegate_to: localhost
- debug: msg="{{cyberark_response}}"
- name: set response to fact named cyberark_secret
set_fact:
cyberark_secret: "{{ cyberark_response.result.Content }}"
no_log: true
Raw
set_secret_elevate_from_ssh_key.yml
---
# This Playbook is for retrieving the contents of a single private key from the
# Cyberark Vault and writing the contents to a temp file for each host and using
# the temp file for ssh key auth to the hosts.
- hosts: all
connection: local
gather_facts: true
roles:
- role: cyberark.modules
tasks:
- name: Fetch SSH Key content from CyberArk Vault
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: no
client_cert: "{{ CYBERARK_CLIENT_CERT }}"
client_key: "{{ CYBERARK_PRIV_KEY }}"
app_id: "app_ansible"
query: "safe=Linux Root Accounts;folder=root;address={{ ansible_hostname }}"
reason: "Testing Ansible Playbook"
register: cyberark_response
delegate_to: localhost
no_log: false
- name: Fetch root credential for sudo privilege escalation
cyberark_credential:
api_base_url: "https://components.cyberark.local"
app_id: "sudo_privilege"
validate_certs: no
client_cert: "{{ CYBERARK_CLIENT_CERT }}"
client_key: "{{ CYBERARK_PRIV_KEY }}"
query: "safe=Linux Root Accounts;folder=root;address={{ inventory_hostname }}"
reason: "testing escalation in shell module"
register: sudo_cred
delegate_to: localhost
no_log: false
- name: tempfile module to define file variable
tempfile:
state: file
suffix: key
register: temp_key
no_log: true
- name: writing key contents to a temp file
copy:
dest: "{{ temp_key.path }}"
content: "{{ cyberark_response.result.Content }}"
delegate_to: localhost
changed_when: false
no_log: true
- hosts: all
gather_facts: false
vars:
ansible_ssh_private_key_file: "{{ temp_key.path }}"
ansible_become_pass: "{{ sudo_cred }}"
tasks:
- name: that thing
become: true
become_method: su
shell: whoami
changed_when: false
Raw
set_secret_elevate_from_ssh_key_host.yml
---
- hosts: all
connection: local
gather_facts: true
roles:
- role: cyberark.modules
tasks:
- name: Fetch SSH Key content from CyberArk Vault
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: no
client_cert: "{{ CYBERARK_CLIENT_CERT }}"
client_key: "{{ CYBERARK_PRIV_KEY }}"
app_id: "app_ansible"
query: "safe=SSH Private Keys;folder=root;address={{ inventory_hostname }}"
reason: "Testing Ansible Playbook"
register: cyberark_response
delegate_to: localhost
no_log: false
- name: tempfile module to define file variable
tempfile:
state: file
suffix: key
register: temp_key
no_log: true
- name: writing key contents to a temp file
copy:
dest: "{{ temp_key.path }}"
content: "{{ cyberark_response.result.Content }}"
delegate_to: localhost
changed_when: false
no_log: true
- hosts: all
gather_facts: true
vars:
ansible_ssh_user: "{{ cyberark_response.result.UserName }}"
ansible_ssh_private_key_file: "{{ temp_key.path }}"
tasks:
- name: Fetch root credential for sudo privilege escalation
cyberark_credential:
api_base_url: "https://components.cyberark.local"
app_id: "sudo_privilege"
validate_certs: no
query: "safe=Linux Root Accounts;folder=root;address={{ inventory_hostname }}"
reason: "testing escalation in shell module"
register: sudo_cred
no_log: false
- name: Setting the become variable
set_fact:
become_user: "{{ sudo_cred.result.UserName }}"
ansible_become_pass: "{{ sudo_cred.result.Content }}"
no_log: false
- name: that thing
become: true
become_method: su
shell: whoami
changed_when: false
Raw
set_secret_password.yml
---
# This Playbook is for retrieving the password of the hosts and setting a password
# variable for authenticating to the hosts
- hosts: all
connection: local
gather_facts: false
tasks:
- name: Cyberark Credential retrieval
include_role:
name: cyberark.modules
- name: Fetch password from Cyberark Vault
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: no
client_cert: "{{ CYBERARK_CLIENT_CERT }}"
client_key: "{{ CYBERARK_PRIV_KEY }}"
app_id: "app_ansible"
query: "safe=Linux Root Accounts;folder=root;UserName=root;address={{ inventory_hostname }}"
reason: "Testing Ansible Playbook"
register: cyberark_response
delegate_to: localhost
no_log: false
- name: Set response to fact named cyberark_secret
set_fact:
cyberark_secret: "{{ cyberark_response.result.Content }}"
no_log: false
- hosts: all
connection: local
gather_facts: false
vars:
ansible_ssh_pass: "{{ cyberark_secret }}"
tasks:
- shell: echo Test
changed_when: false
Raw
set_secret_ssh_key.yml
---
# This Playbook is for retrieving the contents of a single private key from the
# Cyberark Vault and writing the contents to a temp file for each host and using
# the temp file for ssh key auth to the hosts.
- hosts: all
connection: local
gather_facts: true
tasks:
- name: Cyberark Credential retrieval
include_role:
name: cyberark.modules
- name: Fetch SSH Key content from CyberArk Vault
cyberark_credential:
api_base_url: "https://components.cyberark.local"
validate_certs: no
client_cert: "{{ CYBERARK_CLIENT_CERT }}"
client_key: "{{ CYBERARK_PRIV_KEY }}"
app_id: "app_ansible"
query: "safe=Linux Root Accounts;folder=root;address={{ ansible_hostname }}"
reason: "Testing Ansible Playbook"
register: cyberark_response
delegate_to: localhost
no_log: true
- name: tempfile module to define file variable
tempfile:
state: file
suffix: key
register: temp_key
no_log: true
- name: writing key contents to a temp file
copy:
dest: "{{ temp_key.path }}"
content: "{{ cyberark_response.result.Content }}"
delegate_to: localhost
changed_when: false
no_log: true
- hosts: all
gather_facts: false
vars:
ansible_ssh_private_key_file: "{{ temp_key.path }}"
tasks:
- shell: echo Test
changed_when: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment