cyberark / ansible-security-automation-collection Goto Github PK
View Code? Open in Web Editor NEWCyberArk Ansible Security Automation Collection
License: MIT License
CyberArk Ansible Security Automation Collection
License: MIT License
SUMMARY
While trying to retrieve credential from Cyberark using cyberark_credential module the error thrown is misleading.
"msg": "Unknown error while retrieving credential.\n*** end_point=https://x.y.z/AIMWebService/api/Accounts?AppId=Ansible&Query=Safe%ABC-Ansible%3BObject%3A-B-C-D.a.b.c&ConnectionTimeout=30&QueryFormat=Mytestformat&reason=Test%20Ansible%20Playbook\n<urlopen error [Errno 104] Connection reset by peer>",
"status_code": -1
We can enhance the error thrown, to something which makes it clear or obvious that the issue lies with incorrect proxy configuration & not with Cyberark side.
ADDITIONAL INFORMATION
This would be helpful for Customers using cyberark.pas.cyberark_credential plugin from cyberark.pas collection
Hi! As part of the ansible community package release process,
we've determined that versions 1.0.18 and 1.0.19 of cyberark.pas were released to
Ansible Galaxy but not properly tagged in this Git repository.
This violates the repository management section of the Collection Requirements:
Every collection MUST have a public git repository. Releases of the collection MUST be tagged in said repository. This means that releases MUST be
git tag
ed and that the tag name MUST exactly match the Galaxy version number. Tag names MAY have av
prefix, but a collection's tag names MUST have a consistent format from release to release.Additionally, collection artifacts released to Galaxy MUST be built from the sources that are tagged in the collection's git repository as that release. Any changes made during the build process MUST be clearly documented so the collection artifact can be reproduced.
If the collection maintainers do not respond to this issue within a
reasonable a amount of time,
the collection is subject to Removal from ansible.
Note that we've already reported this issue once in #46 and the collection is again violating this requirement.
Hi! The Ansible Community Steering Committee has determined that this collection does not tag its releases in its git repository. This violates the repository management section of the Collection Requirements:
Every collection MUST have a public git repository. Releases of the collection MUST be tagged in said repository. This means that releases MUST be git
tag
ed and that the tag name MUST exactly match the Galaxy version number. Tag names MAY have av
prefix, but a collection's tag names MUST have a consistent format from release to release.Additionally, collection artifacts released to Galaxy MUST be built from the sources that are tagged in the collection's git repository as that release. Any changes made during the build process MUST be clearly documented so the collection artifact can be reproduced.
Note that this requirement has recently been clarified, but its intent remains the same. Please tag at least the previous 1-2 releases of your collection to come into compliance.
Please keep us updated and let us know if you have any questions. Thanks!
Login failure on privliegecloud if user-agent not set
Simple ansible playbook to auth again privlige cloud API:
---
- name: cyberark
hosts: localhost
tasks:
- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark.pas.cyberark_authentication:
api_base_url: https://totallyfakedomain.privilegecloud.cyberark.com
username: "apitest"
password: "password123!"
use_cyberark_authentication: yes
I would expect it to return me a token for my session as per the result when doing:
curl -X POST --header 'Content-Type: application/json' -d '{ "username": "apitest", "password": "password123!" }' https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon
fatal: [localhost]: FAILED! => changed=false
headers:
Content-Type: application/json
msg: |-
Error while performing authentication.Please validate parameters provided, and ability to logon to CyberArk.
*** end_point=https://totallyfakedomain.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon
==> HTTP Error 403: Forbidden
payload: '{"username": "apitest", "password": "********"}'
status_code: 403
ansible [core 2.11.4]
python version = 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0]
jinja version = 2.11.2
Simple ubuntu linux desktop host. Ansible installed from pip. Tried cyberark module from galaxy and from git (ansible-galaxy collection install git+https://github.com/cyberark/ansible-security-automation-collection)
Appears that it needs a user-agent that isn't python-urllib, editing:
~/.ansible/collections/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py
and modifying the block at line 232 from:
response = open_url(
api_base_url + end_point,
method="POST",
headers=headers,
data=payload,
validate_certs=validate_certs
)
to
response = open_url(
api_base_url + end_point,
method="POST",
headers=headers,
data=payload,
validate_certs=validate_certs,
http_agent="DefinitelyNotPython-urllib/3.8"
)
Makes it work.
By default it sends User-Agent: Python-urllib/3.8
and something doesn't like this it seems.
Hello,
would it be possible to take into account the "groupname" and "groupplatformid" parameters
to be able to manage groups, the parameter seems to work following different tests outside the collection
it would therefore be necessary to add the 2 parameters in the python code
I can possibly suggest a fix
The latest collection seems to be breaking backwards compatibility with API 1.0 instances.
The following (copied from the official examples) doesn't work anymore in 1.0.6 but it works in 1.0.5
- name: Logon - Not use_shared_logon_authentication
cyberark_authentication:
api_base_url: "{{ web_services_base_url }}"
username: "{{ password_object.password }}"
password: "{{ password_object.passprops.username }}"
use_shared_logon_authentication: no
Using 1.0.6 Run the example authentication against API 1.0 SAM Vault server
Authenticate and retrieve token in ansible_facts
fatal: [server]: FAILED! => {"changed": false, "headers": {"Content-Type": "application/json"}, "msg": "Error while performing authentication.Please validate parameters provided, and ability to logon to CyberArk.\n*** end_point=https://sam.example.com/PasswordVault/API/Auth/CyberArk/Logon\n ==> HTTP Error 403: Forbidden", "payload": "{\"username\": \"USERNAME\", \"password\": \"********\"}", "status_code": 403}
It seems that the wrong URL is sent with 1.0.6. It is sending to /PasswordVault/API/Auth/CyberArk/Logon
when it should be sending to /PasswordVault/WebServices/auth/Cyberark/CyberArkAuthenticationService.svc/Logon
. I.e. it is not detecting which API version is being used.
When creating accounts with a "GroupName" property using the cyberark.pas.cyberark_account module, any subsequent task run on this account is systematically marked as "changed", despite the provided values being the same.
This does not happen with accounts that are not part of a group (no "GroupName" property given).
Using the cyberark.pas.cyberark_account module, create an account with a "GroupName" property under "platform_account_properties".
Then, run the task again without changing any values.
I expect the task to return as "ok" when no value has actually changed (idempotency).
The task returns as "changed".
In the log of the task below, you can see a GroupName is passed in the module_args, but does not show in the result section, which may be linked to the issue.
changed: [host.domain.tld] => {
"changed": true,
"invocation": {
"module_args": {
"address": "host.domain.tld",
"api_base_url": "********/PasswordVault/api/",
"cyberark_session": {
"api_base_url": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"validate_certs": true
},
"identified_by": "username,address,platform_id",
"logging_file": "/tmp/cyberark_role_20210621_1041",
"logging_level": "INFO",
"name": "MY_ACCOUNT_NAME",
"new_secret": null,
"platform_account_properties": {
"CustomDescription": "foo",
"CustomIP": "1.2.3.4",
"ExtraPass3Folder": "RECONCILE_FOLDER",
"ExtraPass3Name": "RECONCILE_NAME",
"ExtraPass3Safe": "RECONCILE_SAFE",
"GroupName": "MY_GROUP",
"IP": "1.2.3.4",
"Location": "foo"
},
"platform_id": "MY_PLATFORM",
"remote_machines_access": null,
"safe": "MY_SAFE",
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret_management": {
"automatic_management_enabled": true,
"management_action": "change",
"manual_management_reason": null,
"new_secret": null,
"perform_management_action": "on_create"
},
"secret_type": "password",
"state": "present",
"username": "my_account",
"validate_certs": true
}
},
"result": {
"result": {
"address": "host.domain.tld",
"categoryModificationTime": 1624029563,
"createdTime": 1623171048,
"id": "161_2626",
"name": "MY_ACCOUNT_NAME",
"platformAccountProperties": {
"CustomDescription": "foo",
"CustomIP": "1.2.3.4",
"ExtraPass3Folder": "RECONCILE_FOLDER",
"ExtraPass3Name": "RECONCILE_NAME",
"ExtraPass3Safe": "RECONCILE_SAFE",
"Hostname": "HOST",
"IP": "1.2.3.4",
"Location": "foo"
},
"platformId": "MY_PLATFORM",
"safeName": "MY_SAFE",
"secretManagement": {
"automaticManagementEnabled": true,
"lastModifiedTime": 1623946613,
"lastReconciledTime": 1623946649,
"status": "success"
},
"secretType": "password",
"userName": "my_account"
}
},
"status_code": 200
}
Collection cyberark.pas v1.0.7.
Running in a venv, with ansible v2.9.12 and python v3.6.8.
Add any other context about the problem here.
Could you please add 'timeout' parameter to all modules and pass it to open_url ansible core function. Default value is petty low and sometimes it happens that modules fail due to timeout.
A 'timeout' parameter similar to what we have in uri module.
Hi,
I see from https://galaxy.ansible.com/cyberark/bizdev that it's deprecated, though it took some hunting around to see where that content lives now.
Can you please publish an update so the README.md only has a single line which points to https://galaxy.ansible.com/cyberark/pas
To display EDA content on Ansible Automation Hub, there is an additional file needed in the collection.
Add the meta/extensions.yml
file to the collection with the following contents:
extensions:
- args:
ext_dir: eda/plugins/event_filter
- args:
ext_dir: eda/plugins/event_source
This will cause the EDA plugin to display under the collection's "Contents" tab in Automation Hub.
See the ansible.eda collection source for reference.
(Note: Depends on #67 to work properly)
This collection will be included in Ansible 2.10 because it contains modules and/or plugins that were included in Ansible 2.9. Please review:
The latest version of the collection available on August 18 will be included in Ansible 2.10.0, except possibly newer versions which differ only in the patch level. (For details, see the roadmap). Please release version 1.0.0 of your collection by this date! If 1.0.0 does not exist, the same 0.x.y version will be used in all of Ansible 2.10 without updates, and your 1.x.y release will not be included until Ansible 2.11 (unless you request an exception at a community working group meeting and go through a demanding manual process to vouch for backwards compatibility . . . you want to avoid this!).
Your collection versioning must follow all semver rules. This means:
Your collection should provide data for the Ansible 2.10 changelog and porting guide. The changelog and porting guide are automatically generated from ansible-base, and from the changelogs of the included collections. All changes from the breaking_changes
, major_changes
, removed_features
and deprecated_features
sections will appear in both the changelog and the porting guide. You have two options for providing changelog fragments to include:
changelogs/changelog.yaml
inside your collection (see the documentation of changelogs/changelog.yaml format).If you cannot contribute to the integrated Ansible changelog using one of these methods, please provide a link to your collection's changelog by creating an issue in https://github.com/ansible-community/ansible-build-data/. If you do not provide changelogs/changelog.yml
or a link, users will not be able to find out what changed in your collection from the Ansible changelog and porting guide.
Run ansible-test sanity --docker -v
in the collection with the latest ansible-base or stable-2.10
ansible/ansible checkout.
Be sure you're subscribed to:
If you have questions or want to provide feedback, please see the Feedback section in the collection requirements.
(Internal link to keep track of issues: ansible-collections/overview#102)
cyberark_account url is not properly url encoded when state=absent and safe is None.
I want to delete an account but I do not have the same name. The CyberArk API does not require a safe name.
- name: Remove account
cyberark.pas.cyberark_account:
identified_by: "address,username"
address: "{{ inventory_hostname_short }}"
safe:
username: "admin"
cyberark_session: "{{ cyberark_session }}"
state: absent
Account is removed
FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\\n File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1102, in get_account\\n File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible/module_utils/urls.py\\", line 1384, in open_url\\n File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible/module_utils/urls.py\\", line 1294, in open\\n File \\"/usr/lib64/python3.8/urllib/request.py\\", line 222, in urlopen\\n return opener.open(url, data, timeout)\\n File \\"/usr/lib64/python3.8/urllib/request.py\\", line 525, in open\\n response = self._open(req, data)\\n File \\"/usr/lib64/python3.8/urllib/request.py\\", line 542, in _open\\n result = self._call_chain(self.handle_open, protocol, protocol +\\n File \\"/usr/lib64/python3.8/urllib/request.py\\", line 502, in _call_chain\\n result = func(*args)\\n File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible/module_utils/urls.py\\", line 443, in https_open\\n File \\"/usr/lib64/python3.8/urllib/request.py\\", line 1354, in do_open\\n h.request(req.get_method(), req.selector, req.data, headers,\\n File \\"/usr/lib64/python3.8/http/client.py\\", line 1256, in request\\n self._send_request(method, url, body, headers, encode_chunked)\\n File \\"/usr/lib64/python3.8/http/client.py\\", line 1267, in _send_request\\n self.putrequest(method, url, **skips)\\n File \\"/usr/lib64/python3.8/http/client.py\\", line 1101, in putrequest\\n self._validate_path(url)\\n File \\"/usr/lib64/python3.8/http/client.py\\", line 1201, in _validate_path\\n raise InvalidURL(f\\"URL can't contain control characters. {url!r} \\"\\nhttp.client.InvalidURL: URL can't contain control characters. '/PasswordVault/api/accounts?search=REDACTED.redacted.com admin' (found at least ' ')\\n\\nDuring handling of the above exception, another exception occurred:\\n\\nTraceback (most recent call last):\\n File \\"/home/runner/.ansible/tmp/ansible-tmp-1691432082.671086-58-126268203065216/AnsiballZ_cyberark_account.py\\", line 102, in <module>\\n _ansiballz_main()\\n File \\"/home/runner/.ansible/tmp/ansible-tmp-1691432082.671086-58-126268203065216/AnsiballZ_cyberark_account.py\\", line 94, in _ansiballz_main\\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\\n File \\"/home/runner/.ansible/tmp/ansible-tmp-1691432082.671086-58-126268203065216/AnsiballZ_cyberark_account.py\\", line 40, in invoke_module\\n runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_account', init_globals=None, run_name='__main__', alter_sys=True)\\n File \\"/usr/lib64/python3.8/runpy.py\\", line 207, in run_module\\n return _run_module_code(code, init_globals, run_name, mod_spec)\\n File \\"/usr/lib64/python3.8/runpy.py\\", line 97, in _run_module_code\\n _run_code(code, mod_globals, init_globals,\\n File \\"/usr/lib64/python3.8/runpy.py\\", line 87, in _run_code\\n exec(code, run_globals)\\n File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1309, in <module>\\n File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1267, in main\\n File \\"/tmp/ansible_cyberark.pas.cyberark_account_payload_l3glafvu/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py\\", line 1165, in get_account\\nAttributeError: 'InvalidURL' object has no attribute 'code'\\n", "module_stdout": "", "msg": "MODULE FAILURE\\nSee stdout/stderr for the exact error", "rc": 1}
1.0.19
Ansible 2.13
It seems the search_string is only properly encoded when the safe_filter is Not None
I believe Line 1087 should be
end_point = ("/PasswordVault/api/accounts?search=%s") % (quote(search_string.lstrip()))
Currently Galaxy has version 1.0.7, but it doesn't support v2 api or ldap authentication as referenced in the documentation
Also, automationhub references version 1.0.5, which is old information. Please update automationhug to reference the actual galaxy version as the official release
The README for cyberark_credential
does not provide steps on how to use the results returned from the module in subsequent tasks. The README currently suggests that the module itself will return a URI to do the lookup, not that the module returns values from the module that can be used in tasks later in the playbook:
Creates a URI for retrieving a credential from a password object stored in the Cyberark Vault.
result:
{ api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }
and
result:
{ api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }"&ConnectionTimeout="{ connection_timeout }"&QueryFormat="{ query_format }"&FailRequestOnPasswordChange="{ fail_request_on_password_change }
If these two lines incorrectly copied into a playbook, the yaml parser will fail. These should be separated from the task examples to prevent confusion.
Additionally, the task examples should accompany some example module that uses the secret:
- name: credential retrieval basic
cyberark_credential:
api_base_url: "http://10.10.0.1"
app_id: "TestID"
query: "Safe=test;UserName=admin"
register: result
## result:
# { api_base_url }"/AIMWebService/api/Accounts?AppId="{ app_id }"&Query="{ query }
- name: Using the secret
shell: 'some_command --some-arg {{ result.content }}'
no_log: true
Attempting to use collection version 1.0.7 with cyberark_account after a successful cyberark_authentication results in an error with api_base_url
- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark.pas.cyberark_authentication:
api_base_url: "http://components.cyberark.local"
validate_certs: no
username: "bizdev"
password: "Cyberark1"
- name: Creating an Account using the PAS WebServices SDK
cyberark.pas.cyberark_account:
logging_level: DEBUG
identified_by: "address,username"
safe: "Test"
address: "cyberark.local"
username: "administrator-x"
platform_id: WinServerLocal
secret: "@N&Ibl3!"
platform_account_properties:
LogonDomain: "cyberark"
OwnerName: "ansible_user"
secret_management:
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction
Account created
Line: cyberark_account.py#L1075 fails with key error
Traceback (most recent call last):
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1623780866.6344018-975949-190468678997879/AnsiballZ_cyberark_account.py", line 247, in <module>
_ansiballz_main()
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1623780866.6344018-975949-190468678997879/AnsiballZ_cyberark_account.py", line 237, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1623780866.6344018-975949-190468678997879/AnsiballZ_cyberark_account.py", line 108, in invoke_module
runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_account', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_cyberark.pas.cyberark_account_payload_tjanvl99/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1300, in <module>
File "/tmp/ansible_cyberark.pas.cyberark_account_payload_tjanvl99/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1258, in main
File "/tmp/ansible_cyberark.pas.cyberark_account_payload_tjanvl99/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1075, in get_account
KeyError: 'api_base_url'
1.0.7
We want to utilize Ansible to publish root accounts of newly deployed servers. However, when we utilize the ansible modules to use the PVWA path through our netscaler loadbalancers, we get error "401" (unauthorized)......when we use an "api_base_url" pointing directly to one of the servers behind the loadbalancer the logon and provisioning functions as expected.
At this point we think this is result of the (within our organisation) standard configuration of the netscalers, which provides a cookie to handle session persistancy (https://docs.netscaler.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-persistence/http-cookie-persistence.html)
within powershell rest calls (invoke-restmethod), there are options to use a websession/sessionvariable to parse cookie info during a restcall (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-7.4)....making the used loadbalancer config "transparent" for the restcall.
is it possible to also build such handling in the Ansible cyberark authentication modules to also make it possible to use session persistency based on cookies?
A clear and concise description of any alternative solutions or features that may be related to this that
you have considered.
code and results sofar:
name: Create computeraccount in Cyberark
hosts: localhost
become: false
gather_facts: false
collections:
vars:
cyberark_url: https://pamserver.localdns.nl
cyberark_username: causer
vars_prompt:
tasks:
name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark_authentication:
api_base_url: "{{ cyberark_url }}"
validate_certs: false
concurrentSession: true
username: "{{ cyberark_username }}"
password: "{{ cyberark_password }}"
name: Cyberark output
ansible.builtin.debug:
var: cyberark_session
name: Create computer account
register: cyberarkaction
cyberark_account:
cyberark_session: "{{ cyberark_session }}"
logging_level: DEBUG
identified_by: "address"
name: "root-srv9999.localdns.nl"
safe: "T-LINUX-ROOT"
address: "srv9999.localdns.nl"
username: "root"
platform_id: "T-Linux-root-00000"
secret: "##123$$"
secret_management:
automatic_management_enabled: true
state: present
name: Cyberark create account output
ansible.builtin.debug:
var: cyberarkaction
name: Logoff from CyberArk Vault
cyberark_authentication:
state: absent
cyberark_session: "{{ cyberark_session }}"
failure code
fatal: [localhost]: FAILED! => changed=false
headers:
Authorization: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
Content-Type: application/json
User-Agent: CyberArk/1.0 (Ansible; cyberark.pas)
msg: |-
Error while performing get_account.Please validate parameters provided.
*** end_point=********/PasswordVault/api/accounts?filter=safeName%20eq%20T-LINUX-ROOT&search=srv9999.localdns.nl
==> HTTP Error 401: Unauthorized
status_code: 401
Examples referencing "cyberark_credential" instead of "cyberark.pas.cyberark_credential". This is causing the prior module located at "https://github.com/cyberark/ansible-modules" to be loaded resulting in failures.
Based on the community decision to use true/false
for boolean values in documentation and examples, we ask that you evaluate booleans in this collection and consider changing any that do not use true/false
(lowercase).
See documentation block format for more info (specifically, option defaults).
If you have already implemented this or decide not to, feel free to close this issue.
P.S. This is auto-generated issue, please raise any concerns here
We noticed now we have turned on two factor we have a problem with the module timing out before we have pressed the push notification.
Adding a timeout option to the authentication module.
N/A
I have a pull request that will fix this.
Attempting to use collection version 1.1 with cyberark_account after a successful cyberark_authentication results in an error with AttributeError: 'module' object has no attribute 'parse'
name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark_authentication:
api_base_url: "https://{{ cal_host }}"
validate_certs: no
username: "{{ cal_login }}"
password: "{{ cal_password }}"
name: Debug message
debug:
var: cyberark_session
name: Account
cyberark_account:
identified_by: "address,username"
safe: "{{ cal_safe }}"
address: "https://{{ cal_host }}"
username: "{{ cal_username }}"
platform_id: "{{ cal_platformID }}"
secret: "{{ cal_mdp }}"
platform_account_properties:
secret_management:
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction
Account not created
The full traceback is:
Traceback (most recent call last):
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py", line 114, in
_ansiballz_main()
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py", line 106, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py", line 49, in invoke_module
imp.load_module('main', mod, module, MOD_DESC)
File "/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py", line 1378, in
File "/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py", line 1326, in main
File "/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py", line 1108, in get_account
AttributeError: 'module' object has no attribute 'parse'
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py\", line 114, in \n _ansiballz_main()\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py\", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/var/lib/awx/.ansible/tmp/ansible-tmp-1642154834.93-59714490798091/AnsiballZ_cyberark_account.py\", line 49, in invoke_module\n imp.load_module('main', mod, module, MOD_DESC)\n File \"/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py\", line 1378, in \n File \"/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py\", line 1326, in main\n File \"/tmp/ansible_cyberark_account_payload_FhlQ9s/main.py\", line 1108, in get_account\nAttributeError: 'module' object has no attribute 'parse'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
1.1
RHEL7
python2
library does not exist in path
https://github.com/cyberark/ansible-aim-provider is not a part of the cyberark.pas collection.
It should be added as a role.
n/a
n/a
Hi,
Currently, cyberark_account.py does not work out of the box when downloaded from Galaxy.
The latest commit fa1c6ed seems to fix those issues, but is not included in v.1.0.5 of the cyberark.pas collection on Galaxy.
Could you update the collection ?
Best,
pint2oo
cc @cyberark-bizdev @enunez-cyberark @erasmix
Since CyberArk Version 10 a new API Version was introduced and should be used.
This affects for example the cyberark_authentication module and many other.
V10.x and above Logon example
Actually there's only API Version integrated and no longer supported (CyberArk Version 9.x is outdated whicht had API V1).
When will this be updated?
For Red Hat Ansible certification, collections must now have a "requires_ansible" value of ">=2.14.0" or above. This is because all lower versions of Ansible are now EoL and unsupported. See the Red Hat Ansible Life Cycle doc here.
N/A
N/A
N/A
N?A
1.0.25 collection release
Automation Hub
This is a gate for certification, so any releases not containing this change will be rejected.
Hello,
I'm trying to getting an update of an existing User Account our Cyberark Vault to work. The Creation of the Account works fine. But when I try to update the Secret manually, I receive the following Error.
"msg": "Error while performing update_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts/36_9\n ==> {'ErrorCode': 'PASWS125E', 'ErrorMessage': \"Property 'secretmanagement' cannot be added\"}",
The Payload looks like this:
"payload": [
{
"op": "replace",
"path": "/secretManagement",
"value": {
"manualManagementReason": "Test"
}
}
It seems to me, that the URL + Endpoint is concatinated wrongly by the account module. Following the API Documentation, the path should be /secretManagement/manualManagementReason and the Value alone should be "Test".
Here's my Playbook Code (The Authentication is excluded):
- name: Create Account
cyberark_account:
username: "UsertoUpdate"
address: "Testserver"
secret: "InitialPassword"
logging_level: INFO
state: present
safe: "CUSA_Linux"
platform_id: "CUSA_Linux_unmanaged"
cyberark_session: "{{ cyberark_session }}"
secret_management:
automatic_management_enabled: false
register: cyberark_account_creation
- name: Update Account
cyberark_account:
username: "UsertoUpdate"
address: "Testserver"
logging_level: DEBUG
state: present
safe: "CUSA_Linux"
platform_id: "CUSA_Linux_unmanaged"
cyberark_session: "{{ cyberark_session }}"
secret_management:
automatic_management_enabled: false
manual_management_reason: "Test"
new_secret: "ChangedPassword"
register: cyberark_account_update
Dear maintainers,
This is important for your collections!
In accordance with the Community decision, we have created the news-for-maintainers repository for announcements of changes impacting collection maintainers (see the examples) instead of Issue 45 that will be closed soon.
Watch
button in the upper right corner on the repository's home page.Issues
.Also we would like to remind you about the Bullhorn contributor newsletter which has recently started to be released weekly. To learn what it looks like, see the past releases. Please subscribe and talk to the Community via Bullhorn!
Join us in #ansible-social (for news reporting & chat), #ansible-community (for discussing collection & maintainer topics), and other channels on Matrix/IRC.
Help the Community and the Steering Committee to make right decisions by taking part in discussing and voting on the Community Topics that impact the whole project and the collections in particular. Your opinion there will be much appreciated!
Thank you!
There is no support currently for having multiple sessions.
Seems to be a bug in the code:
concurrentSessions is not a valid body parameter for the API (v2).
The field name is concurrentSession (without 's').
Try to use concurrentsessions in a play, does not work.
Multiple sessions allowed by same user
Session is logged out when another token is requested
v12.1
Add any other context about the problem here.
I'm getting these warnings when building ansible 2.10:
/usr/lib/python3.8/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py:532: SyntaxWarning: 'str' object is not callable; perhaps you missed a comma?
/usr/lib/python3.8/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py:573: SyntaxWarning: 'str' object is not callable; perhaps you missed a comma?
/usr/lib/python3.8/site-packages/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py:634: SyntaxWarning: 'str' object is not callable; perhaps you missed a comma?
Could you please check this?
https://raw.githubusercontent.com/cyberark/ansible-security-automation-collection/master/docs/images/full-cyberark-logo.jpg
and
https://raw.githubusercontent.com/cyberark/ansible-security-automation-collection/master/docs/images/cyberark_logo.jpg
are named as JPEG files, but are really PNGs.
Steps to reproduce the behavior:
They're named *.png or they're JPEG files.
/dev/stdin: PNG image data, 200 x 200, 8-bit/color RGB, non-interlaced
main branch as of posting
SSH key cannot be delete using cyberark.pas.cyberark_account
module, task fails.
Use cyberark_account module to delete an ssh key from the Vault:
- name: "Delete SSH key"
cyberark.pas.cyberark_account:
identified_by: "address,username,platform_id"
username: "{{ user }}"
address: "{{ address }}"
safe: "{{ safe_name }}"
platform_id: "{{ platform_id }}"
secret_type: "key"
state: absent
cyberark_session: "{{ cyberark_session }}"
{
"ErrorCode": "PASWS056E",
"ErrorMessage": "The account is not valid for delete"
}
cyberark.pas collection version 1.0.13
v12.2
According to this answer on Cyberark Technical Community, v10 pvwa api isn't able to delete ssh keys.
Deletion works using v9 api and uri module. Here is my workaround:
- name: "Get ssh key id"
cyberark.pas.cyberark_account:
identified_by: "address,username,platform_id"
username: "{{ user }}"
address: "{{ address }}"
safe: "{{ safe_name }}"
platform_id: "{{ platform_id }}"
secret_type: "key"
state: present
cyberark_session: "{{ cyberark_session }}"
register: getaction
- name: "Delete ssh key"
uri:
url: "https://{{ pvwa_url }}/PasswordVault/WebServices/PIMServices.svc/Accounts/{{ getaction.result.result.id }}"
method: DELETE
validate_certs: yes
return_content: yes
headers:
Authorization: "{{ cyberark_session.token }}"
status_code: 200
Hi Team,
I am unable to add account using cyberark account module, the error says "'Missing Mandatory parameter: [AccountDetails].'" Could please check and let me know if i missed anything on this.
ansible version i have used: ansible [core 2.13.10]
cyberark module version : 1.0.19
ansible code:
- name: Logon - Not use_shared_logon_authentication
cyberark_authentication:
api_base_url: https://pv.test.com/
username: "test user"
password: "test123"
use_radius_authentication: yes
- debug:
msg: "{{ cyberark_session }}"
- name: Creating an Account using the PAS WebServices SDK
cyberark_account:
logging_level: DEBUG
identified_by: "address,username,platform_id"
safe: "IT_Infrastructure"
address: "cyberark.local"
username: "test account"
platform_id: test account
secret: "@N&Ibl3!"
platform_account_properties:
LogonDomain: "test account"
OwnerName: "test user"
secret_management:
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction
Error while running the playbook:
"msg": "Error while performing add_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts\n ==> {'ErrorCode': 'PASWS017E', 'ErrorMessage': 'Missing Mandatory parameter: [AccountDetails].'}",
According to the Authentication documentation, it says it supports LDAP. I don't see an option on how to use the module while using an LDAP account. I took at look at the Python module and only see support for Shared Auth and CyberArk Auth.
Provide brief overview and context for the discovered bug.
Using the cyberark_account certified collection throws an error stating the urllib is missing the attribute quote
ansible-galaxy collection install cyberark.pas:1.0.5
- name: Logon to CyberArk Vault using PAS Web Services SDK
cyberark.pas.cyberark_authentication:
api_base_url: "http://components.cyberark.local"
validate_certs: no
username: "bizdev"
password: "Cyberark1"
- name: Creating an Account using the PAS WebServices SDK
cyberark.pas.cyberark_account:
logging_level: DEBUG
identified_by: "address,username"
safe: "Test"
address: "cyberark.local"
username: "administrator-x"
platform_id: WinServerLocal
secret: "@N&Ibl3!"
platform_account_properties:
LogonDomain: "cyberark"
OwnerName: "ansible_user"
secret_management:
automatic_management_enabled: true
state: present
cyberark_session: "{{ cyberark_session }}"
register: cyberarkaction
Module runs successfully and the account is created
Traceback (most recent call last):
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1621636925.806195-27-106588692905683/AnsiballZ_cyberark_account.py", line 102, in <module>
_ansiballz_main()
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1621636925.806195-27-106588692905683/AnsiballZ_cyberark_account.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/var/lib/awx/.ansible/tmp/ansible-tmp-1621636925.806195-27-106588692905683/AnsiballZ_cyberark_account.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_account', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_cyberark.pas.cyberark_account_payload_0sethuqa/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1378, in <module>
File "/tmp/ansible_cyberark.pas.cyberark_account_payload_0sethuqa/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1326, in main
File "/tmp/ansible_cyberark.pas.cyberark_account_payload_0sethuqa/ansible_cyberark.pas.cyberark_account_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_account.py", line 1108, in get_account
AttributeError: module 'urllib' has no attribute 'quote'
What version of the product are you running? Any version info that you can
share is helpful. For example, you might give the version from Docker logs,
the Docker tag, a specific download URL, the output of the /info
route, etc.
1.0.5
Using the upstream version of the collection 1.0.7 results in a new error with api_base_url #31
Cyberark_Account.py uses urllib - specifically for handling HTTP Errors;
Line 378 -
from ansible.module_utils.six.moves.urllib.error import HTTPError
returns the following error; "No name 'urllib' in module '_MovedItems'"
EDA structure requires event_source and event_filter plugins to be under an extensions/eda/event_source
or extensions/eda/event_filter
respectively. The collection's EDA plugin is currently located under plugins/event_source/syslog.py
.
This should be moved to extensions/eda/event_source/syslog.py
. See EDA docs here for more info.
N/A
N/A
N/A
N/A
1.0.25 collection release
Collection source
This may result in new failures on Automation Hub, since existing test tooling does not evaluate under the extensions/
directory and there is a separate test process for this content. This is subject to change in the future, but currently we use the common python testing tool tox
to perform static code analysis with a set of linters.
The linters used for EDA are: pylint, darglint, and ruff. These linters run specifically over the <root>/extensions/eda/plugins
dir or deeper. We have built a tox template you can plug into your CI to mimic the tests on Automation Hub. We highly recommend using this template, as some of these linter tests have been deemed irrelevant for certification and are skipped. The link to the templates and documentation is here: https://github.com/ansible/eda-partner-testing
I'm facing an issue deleting accounts that have very similar parameters (same username, address, safe and platform), and that can't be distinguished except by some parameters in "platform_account_properties", and by their "name".
I have been unable to make "name" work as a value of "identified_by" (API returns a 200 as if the account was already absent), and there is currently no option to give the account's id to the module (despite it being handled by the API).
I would like to be able to delete accounts using either their unique "name" or "id".
I'm reverting back to using the Ansible uri module to send DELETE requests to the API. as described here : https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Delete%20Account.htm
/
The "Big Migration" has now taken place.
As this collection already exists, we need to carefully check to see if any further commits went into devel since this repo was created.
Please check the contents of https://github.com/ansible-collection-migration/skydive.skydive against this repo
In particular:
Unbound error when using use_ldap_authentication
parameter for cyberark_authentication.py
ansible-galaxy collection install cyberark.pas:1.0.7
ansible localhost -m cyberark.pas.cyberark_authentication -a "use_ldap_authentication=yes api_base_url=127.0.0.1 username=test password=test"
attempt to auth against the api_base_url with LDAP auth
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnboundLocalError: local variable 'payload_dict' referenced before assignment
localhost | FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py\", line 102, in <module>\n _ansiballz_main()\n File \"/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_authentication', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.9/runpy.py\", line 210, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.9/runpy.py\", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/usr/lib64/python3.9/runpy.py\", line 87, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py\", line 374, in <module>\n File \"/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py\", line 368, in main\n File \"/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py\", line 213, in processAuthentication\nUnboundLocalError: local variable 'payload_dict' referenced before assignment\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
module_stderr:
Traceback (most recent call last):
File "/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py", line 102, in <module>
_ansiballz_main()
File "/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/var/tmp/ansible-tmp-1623278552.1340837-70470-37906186035002/AnsiballZ_cyberark_authentication.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.cyberark.pas.plugins.modules.cyberark_authentication', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.9/runpy.py", line 210, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py", line 374, in <module>
File "/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py", line 368, in main
File "/tmp/ansible_cyberark.pas.cyberark_authentication_payload_lqtqizuk/ansible_cyberark.pas.cyberark_authentication_payload.zip/ansible_collections/cyberark/pas/plugins/modules/cyberark_authentication.py", line 213, in processAuthentication
UnboundLocalError: local variable 'payload_dict' referenced before assignment
1.0.7
Potentially an accidental indent here?
https://github.com/cyberark/ansible-security-automation-collection/blob/master/plugins/modules/cyberark_authentication.py#L201
The payload_dict from above hasn't changed in 2 years, but it looks like the conditionals around it have changed quite a bit in the last year:
https://github.com/cyberark/ansible-security-automation-collection/blame/ccea4d8d31e9514ca54c7b494dbf1177f66d81f3/plugins/modules/cyberark_authentication.py#L201
L201 might be out of place and indented to the wrong level based on the new conditionals in the module.
We are running sanity tests across every collection included in the Ansible community package (as part of this issue) and found that ansible-test sanity --docker
against cyberpark.pas 1.0.13 fails with ansible-core 2.13.0rc1 in ansible 6.0.0a2.
n/a
ansible [core 2.13.0rc1]
1.0.13
ansible-test sanity --docker
Tests are either passing or ignored.
ERROR: Found 29 validate-modules issue(s) which need to be resolved:
ERROR: plugins/modules/cyberark_account.py:0:0: doc-default-does-not-match-spec: Argument 'automatic_management_enabled' in argument_spec found in secret_management defines default as (None) but documentation defines default as (False)
ERROR: plugins/modules/cyberark_account.py:0:0: doc-required-mismatch: Argument 'api_base_url' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_account.py:0:0: doc-required-mismatch: Argument 'logging_level' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_account.py:0:0: doc-required-mismatch: Argument 'state' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_account.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_account.py:0:0: invalid-documentation-markup: DOCUMENTATION.options.cyberark_session.description: Directive "M(cyberark_authentication)" must contain a FQCN for dictionary value @ data['options']['cyberark_session']['description']. Got ['Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session.']
ERROR: plugins/modules/cyberark_account.py:0:0: no-default-for-required-parameter: DOCUMENTATION.options.state: Argument is marked as required but specifies a default. Arguments with a default should not be marked as required for dictionary value @ data['options']['state']. Got {'description': ['Assert the desired state of the account C(present) to creat or update and account object. Set to C(absent) for deletion of an account object.'], 'required': True, 'default': 'present', 'choices': ['present', 'absent'], 'type': 'str'}
ERROR: plugins/modules/cyberark_account.py:0:0: no-log-needed: Argument 'secret_management' in argument_spec could be a secret, though doesn't have `no_log` set
ERROR: plugins/modules/cyberark_account.py:0:0: return-syntax-error: RETURN.result.contains.secretManagement.contains: required key not provided @ data['result']['contains']['secretManagement']['contains']. Got None
ERROR: plugins/modules/cyberark_authentication.py:0:0: doc-default-does-not-match-spec: Argument 'concurrentSession' in argument_spec defines default as (False) but documentation defines default as (None)
ERROR: plugins/modules/cyberark_authentication.py:0:0: invalid-documentation: DOCUMENTATION.author: Invalid author for dictionary value @ data['author']. Got ['Edward Nunez (@enunez-cyberark) CyberArk BizDev', 'Cyberark Bizdev (@cyberark-bizdev)', 'Edgar Mota']
ERROR: plugins/modules/cyberark_authentication.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_authentication.py:0:0: parameter-type-not-in-doc: Argument 'concurrentSession' in argument_spec defines type as 'bool' but documentation doesn't define type
ERROR: plugins/modules/cyberark_authentication.py:0:0: undocumented-parameter: Argument 'concurrentSession' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/cyberark_credential.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_credential.py:0:0: no-log-needed: Argument 'client_key' in argument_spec could be a secret, though doesn't have `no_log` set
ERROR: plugins/modules/cyberark_credential.py:0:0: return-syntax-error: RETURN.result.contains.Safe.type: not a valid value for dictionary value @ data['result']['contains']['Safe']['type']. Got 'string'
ERROR: plugins/modules/cyberark_user.py:0:0: doc-default-does-not-match-spec: Argument 'change_password_on_the_next_logon' in argument_spec defines default as (None) but documentation defines default as (False)
ERROR: plugins/modules/cyberark_user.py:0:0: doc-default-does-not-match-spec: Argument 'disabled' in argument_spec defines default as (None) but documentation defines default as (False)
ERROR: plugins/modules/cyberark_user.py:0:0: doc-required-mismatch: Argument 'logging_level' in argument_spec is not required, but is documented as being required
ERROR: plugins/modules/cyberark_user.py:0:0: invalid-documentation: DOCUMENTATION.version_added: expected str for dictionary value @ data['version_added']. Got 2.4
ERROR: plugins/modules/cyberark_user.py:0:0: invalid-documentation-markup: DOCUMENTATION.options.cyberark_session.description: Directive "M(cyberark_authentication)" must contain a FQCN for dictionary value @ data['options']['cyberark_session']['description']. Got ['Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session, please see M(cyberark_authentication) module for an example of cyberark_session.']
ERROR: plugins/modules/cyberark_user.py:0:0: no-default-for-required-parameter: DOCUMENTATION.options.logging_level: Argument is marked as required but specifies a default. Arguments with a default should not be marked as required for dictionary value @ data['options']['logging_level']. Got {'description': ['Parameter used to define the level of troubleshooting output to the C(logging_file) value.'], 'required': True, 'choices': ['NOTSET', 'DEBUG', 'INFO'], 'default': 'NOTSET', 'type': 'str'}
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-list-no-elements: Argument 'authorization' in argument_spec defines type as list but elements is not defined
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-list-no-elements: DOCUMENTATION.options.authorization: Argument defines type as list but elements is not defined for dictionary value @ data['options']['authorization']. Got {'description': ['A list of authorization options for this user.', 'Options can include AddSafes and AuditUsers', 'The default provides backwards compatability with older versions of the collection'], 'type': 'list', 'default': ['AddSafes', 'AuditUsers']}
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-type-not-in-doc: Argument 'domain_name' in argument_spec defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/cyberark_user.py:0:0: parameter-type-not-in-doc: Argument 'member_type' in argument_spec defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/cyberark_user.py:0:0: undocumented-parameter: Argument 'domain_name' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/cyberark_user.py:0:0: undocumented-parameter: Argument 'member_type' is listed in the argument_spec, but not documented in the module documentation
ERROR: The 1 sanity test(s) listed below (out of 43) failed. See error output above for details.
validate-modules
ERROR: Command "podman exec ansible-test-controller-6Yf4ICQQ /usr/bin/env ANSIBLE_TEST_CONTENT_ROOT=/root/ansible_collections/cyberark/pas LC_ALL=en_US.UTF-8 /usr/bin/python3.10 /root/ansible/bin/ansible-test sanity --containers '{}' --skip-test pylint --metadata tests/output/.tmp/metadata-7cv3_z7e.json --truncate 0 --color no --host-path tests/output/.tmp/host-ganac95w" returned exit status 1.
The concurrentSession
parameter is not mentioned in the Ansible documentation for the collection :
https://docs.ansible.com/ansible/latest/collections/cyberark/pas/cyberark_authentication_module.html
It is not mentioned in the module's documentation either :
In its stead, there is connection_number
which is commented out and not processed by the module :
Adding the concurrentSession
parameter in the module documentation, as well as in the official Ansible documentation,
and removing connection_number
as it is not functional.
Add any other context information about the feature request here.
Provide a brief overview and context for the discovered bug.
When we try to update the `Remmote Machines" of an existing account, the task failed with the following message.
"msg": "Error while performing update_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts/70_8\n ==> {'ErrorCode': 'PASWS125E', 'ErrorMessage': \"Property 'remotemachinesaccess' cannot be added\"}",
1.1.1.1, 2.2.2.2, 3.3.3.3
).4.4.4.4
.- name: Logon to CyberArk Vault using PAS Web Services SDK
delegate_to: localhost
cyberark.pas.cyberark_authentication:
api_base_url: "{{ lookup('ansible.builtin.env', 'CYBERARK_VAULT_URL') }}"
validate_certs: false
username: "{{ lookup('ansible.builtin.env', 'CYBERARK_AUTH_USERNAME') }}"
password: "{{ lookup('ansible.builtin.env', 'CYBERARK_AUTH_PASSWORD') }}"
use_ldap_authentication: true
no_log: true
- name: Updating the account with new remote_machines
block:
- name: Update Account using the PAS WebServices SDK
delegate_to: localhost
cyberark.pas.cyberark_account:
safe: "{{ cyberark_safe_name }}"
address: "{{ cyberark_entry_address }}"
username: "{{ cyberark_account_username }}"
platform_id: "{{ cyberark_platform_id }}"
remote_machines_access:
remote_machines: "4.4.4.4"
state: present
cyberark_session: "{{ cyberark_session }}"
register: cyberark_action
always:
- name: Logoff from CyberArk Vault
delegate_to: localhost
cyberark.pas.cyberark_authentication:
state: absent
cyberark_session: "{{ cyberark_session }}"
A clear and concise description of what you expected to happen.
The new IP address (eg: 4.4.4.4
) should be appended to the remote machines list. (eg: 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4
).
A clear and concise description of what did happen. Include logs and
screens shots, whenever possible
{
"payload": [
{
"op": "replace",
"path": "/remoteMachinesAccess",
"value": {
"remoteMachines": "4.4.4.4"
}
}
],
"headers": {
"Content-Type": "application/json",
"Authorization": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"User-Agent": "CyberArk/1.0 (Ansible; cyberark.pas)"
},
"status_code": 400,
"msg": "Error while performing update_account.Please validate parameters provided.\n*** end_point=********/PasswordVault/api/Accounts/70_8\n ==> {'ErrorCode': 'PASWS125E', 'ErrorMessage': \"Property 'remotemachinesaccess' cannot be added\"}",
"invocation": {
"module_args": {
"safe": "<removed>",
"address": "example.com",
"username": "demouser",
"platform_id": "DEMO_SSH_ANSIBLE",
"remote_machines_access": {
"remote_machines": "10.1.10.11",
"access_restricted_to_remote_machines": true
},
"state": "present",
"cyberark_session": {
"token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"api_base_url": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"validate_certs": false
},
"logging_file": "/tmp/ansible_cyberark.log",
"validate_certs": true,
"identified_by": "username,address,platform_id",
"secret_type": "password",
"logging_level": null,
"api_base_url": null,
"name": null,
"secret": null,
"new_secret": null,
"secret_management": null,
"platform_account_properties": null
}
},
"_ansible_no_log": null,
"changed": false,
"_ansible_delegated_vars": {
"ansible_host": "localhost",
"ansible_port": null,
"ansible_user": "admin",
"ansible_connection": "local"
}
}
What version of the product are you running? Any version info that you can
share is helpful. For example, you might give the version from Docker logs,
the Docker tag, a specific download URL, the output of the /info
route, etc.
Add any other context about the problem here.
I was wondering if there is way to link accounts when creating new objects in. For example login accounts.
Need to be able to point to alternate sites on the CCP to allow for different authentications settings. Some applications require client certificate while others are not able to leverage certificate. This connector as written forces me to install two separate CCP to support all my applications instead of just adding a second security configuration per the documentation, I have to have one CCP to require client certs and another that doesn't.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.