CyberArk Application Access Manager Client Library for Python 3

This project simplifies the interaction between a Python 3 application or script and CyberArk's Application Access Manager's Credential Provider using the appropriate CLIPasswordSDK executable for the Operating System being used. By simplifying this process, developers are only required to change four (4) lines of code in their Python 3 applications and scripts to securely retrieve privileged secrets from CyberArk's Privileged Access Security (PAS) Core Solution as opposed to thirty or more (30+) without the use of this provided Client Library.

• Added support for custom service path during initialization of the CCPPasswordREST() class. See documentation below for more details.

• Install
  • Credential Provider (CLIPasswordSDK) Method
  • Centralized Credential Provider (CCPPasswordREST) Method
  • Windows
    • Install Latest Python 3
    • Install pyAIM via Pip
  • Linux
    • Ubuntu/Debian
      • Install Latest Python 3
      • Install pyAIM via Pip
    • RHEL/CentOS
      • Install Latest Python 3
        • RHEL
        • CentOS
      • Install pyAIM via Pip
  • MacOS
  • Z/OS
    • Install Latest Python 3
    • Install pyAIM via Pip
• Usage
  • Check AIMWebService Availability - check_service()
    • Centralized Credential Provider (CCPPasswordREST) Method
  • Retrieve Account - GetPassword()
    • Credential Provider (CLIPasswordSDK) Method
      • Supported Parameters
        • Query Parameters
      • Example
    • Centralized Credential Provider (CCPPasswordREST) Method
      • Supported Parameters
        • CCPPasswordREST()
        • Query Parameters
      • Example
      • Example with Client Certificate Authentication
      • Example with Custom Service Path
• Maintainer
• Contributing
• License

• CyberArk Application Access Manager Credential Provider installed locally.

• CyberArk Application Access Manager Centralized Credential Provider and AIMWebService

For information on how to install either of these providers, please refer to CyberArk's Application Access Manager Installation Guide or reach out to your assigned Customer Success Technical Advisor.

Install the Python 3 release for Windows

> pip3 install pyaim

$ sudo apt install -y python3 python3-pip

$ pip3 install pyaim

Follow the EPEL Documentation to ensure you have the EPEL Release repository available.

$ sudo yum install -y https://rhel7.iuscommunity.org/ius-release.rpm

$ sudo yum update

$ sudo yum install -y python36u python36u-libs python36u-devel python36u-pip

$ sudo yum install -y https://centos7.iuscommunity.org/ius-release.rpm

$ sudo yum update

$ sudo yum install -y python36u python36u-libs python36u-devel python36u-pip

$ pip3 install pyaim

No support provided yet.

pyAIM is untested on Z/OS but should work in theory.

Rocket Software has ported Python 2 and 3 for Z/OS

$ pip3 install pyaim

from pyaim import CCPPasswordREST

aimccp = CCPPasswordREST('https://ccp.cyberarkdemo.example', verify=True) # set verify=False to ignore SSL
service_status = aimccp.check_service()
print(service_status)

• appid (required)
• safe (required)
• folder (default: root)
• object (this or username required)
• username (this or object required)
• address
• database
• policyid
• reason
• query_format (default: 1)
• connport
• sendhash (default: False)
• output (default: Password)
• delimiter (default: ,)
• dual_accounts (default: False)

For compatibility with Dual Accounts where you are referencing a VirtualUsername - use the username parameter and ensure dual_accounts=True.

from pyaim import CLIPasswordSDK

aimcp = CLIPasswordSDK('/opt/CARKaim/sdk/clipasswordsdk')
response = aimcp.GetPassword(appid='appID',safe='safeName',object='objectName',output='PassProps.Username,Password',delimiter='|')

print('Full Response: {}'.format(response))
print('Username: {}'.format(response['PassProps.Username']))
print('Password: {}'.format(response['Password']))

• url (required)
• verify (default: True)
• cert (default: None)
• timeout (default: 30)

• appid (required)
• safe (required)
• folder (default: root)
• object (this or username required)
• username (this or object required)
• address
• database
• policyid
• reason
• query_format (default: exact)
• dual_accounts (default: False)

For compatibility with Dual Accounts where you are referencing a VirtualUsername - use the username parameter and ensure dual_accounts=True.

from pyaim import CCPPasswordREST

# set verify=False to ignore SSL
aimccp = CCPPasswordREST('https://ccp.cyberarkdemo.example', 'AIMWebService', verify=True, timeout=10)

service_status = aimccp.check_service()

if service_status == 'SUCCESS: AIMWebService Found. Status Code: 200':
    response = aimccp.GetPassword(appid='appid',safe='safe',object='objectName',reason='Reason message')
    print('Full Python Object: {}'.format(response))
    print('Username: {}'.format(response['Username']))
    print('Password: {}'.format(response['Content']))
else:
    raise Exception(service_status)

from pyaim import CCPPasswordREST

# set verify=False to ignore SSL
aimccp = CCPPasswordREST('https://ccp.cyberarkdemo.example', verify=True, cert=('/path/to/cert.pem', '/path/to/key.pem'))

...

from pyaim import CCPPasswordREST

# set verify=False to ignore SSL
aimccp = CCPPasswordREST('https://ccp.cyberarkdemo.example', 'AIMWebServiceDEV', verify=True)

...

@infamousjoeg

Contributions are open! Check out CONTRIBUTING.md for more details!

MIT