Python Script for Retrieving Password from CyberArk (9.9.5) Password Vault

password_from_cyberark.py

import requests


class RetrieveCyberArkPassword:

    def __init__(self, url, username, password, verify_ssl=True):
        self.username = username
        self.password = password
        self.cyberark_url = url
        self.cert = None
        self.verify_ssl = verify_ssl
        self.getCert()

    def getCert(self):
        logon_url = "%s/auth/Cyberark/CyberArkAuthenticationService.svc/Logon" % (
            self.cyberark_url
        )
        credentials = {"username": self.username, "password": self.password}
        r = requests.post(
            logon_url,
            json=credentials,
            headers=headers,
            verify=self.verify_ssl
        )
        j = r.json()
        self.cert = j["CyberArkLogonResult"]

    def logoff(self):
        url = "%s/auth/Cyberark/CyberArkAuthenticationService.svc/Logoff" % (
            self.cyberark_url
        )
        headers = {
            "Content-Type": "application/json",
            "Authorization": self.cert
        }
        r = requests.post(url, headers=headers, verify=self.verify_ssl)

    def getAccountIDs(self, safe, keyword):
        url = "%s/PIMServices.svc/Accounts?Keywords=%s&Safe=%s" % (
            self.cyberark_url, keyword, safe
        )
        headers = {
            "Content-Type": "application/json",
            "Authorization": self.cert
        }
        r = requests.get(url, headers=headers, verify=self.verify_ssl)
        j = r.json()
        return [a["AccountID"] for a in j["accounts"]]

    def getPassword(self, account_id):
        url = "%s/PIMServices.svc/Accounts/%s/Credentials/" % (
            self.cyberark_url,
            account_id
        )
        headers = {
            "Content-Type": "application/json",
            "Authorization": self.cert
        }
        r = requests.get(url, headers=headers, verify=self.verify_ssl)
        return r.text


if __name__ == '__main__':
    cyberark = RetrieveCyberArkPassword(
        url="https://cyberark.company.corp/PasswordVault/WebServices",
        username="user01",
        password="passw0rd",
        verify_ssl=False
    )
    account_id = cyberark.getAccountIDs("SAFE-1", "application keyword")[0]
    password = cyberark.getPassword(account_id)
    print("Password: %s" % password)
    cyberark.logoff()

Hello Dadecoza, nice work, this is python3 based script, However , its based on direct username password login , do you have radius based approach as well .

Hi @KarnGusain,

This is Python2.7 and it did authenticate fine using my company AD account. Not sure if the radius directory syncs from our AD. Unfortunately I do not know how our companies CyberArk is configured. I'm just an end-user ;)

Hi All, facing the Syntax error here: except urllib2.HTTPError, e:

Can any one help me out on urgent basis

Hi All, facing the Syntax error here: except urllib2.HTTPError, e:

Can any one help me out on urgent basis

I completely forgot about this script! I converted it to Python3 just for you!

Hi there, would it be possible to share the python3 version of the script with me as well?

Nice work btw

Hi there, would it be possible to share the python3 version of the script with me as well?

Nice work btw

This is the Python3 version :)

Ah, ok ty so much!

Thanks @dadecoza for sharing this , I am new to this so I have some questions

1. Can I use it with my SAML based authentication? If yes then what parameters I need to add in here?
2. This will help in retrieving passwords from the safe so can I implement it directly in my code where earlier I used to fetch credentials from INI File? ( Please share the additional steps required to replace my ini file with this automated password retrieval process if you have)

@KarnGusain did you find the Radius Approach ?

Is there and SSO based authentication option?