psPAS: PowerShell Module for the CyberArk API

Administer CyberArk PAS with PowerShell!

Docs: https://pspas.pspete.dev

---

Module Status

| Master Branch | Latest Build | CodeFactor | Coverage | PowerShell Gallery | License | |---------------------------|--------------------------|---------------------------|-----------------------------|---------------------------|----------------------------| | | | | | || ||| | | | |

---

• Usage
  • Authenticate
  • Basic Operations
  • Advanced Examples
  • Sample Scripts
• psPAS Functions
• Installation
  • Prerequisites
  • Install Options
  • Verification
• Sponsorship
• Changelog
• Author
• License
• Contributing
• Support
• Acknowledgements

Usage

Authenticate

Everything begins with a Logon:

To submit a logon request to the CyberArk API, use the psPAS New-PASSession command.

All subsequent operations are carried out by psPAS utilises the input data provided for the New-PASSession request (URL, Certificate), as well as data received from the API after successful authentication (Authentication Token, PVWA Version).

CyberArk Authentication

• Use a PowerShell credential object containing a valid vault username and password.

$cred = Get-Credential

PowerShell credential request
Enter your credentials.
User: safeadmin
Password for user safeadmin: **********


New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com

LDAP Authentication

• Specify LDAP credentials allowed to authenticate to the vault.

$cred = Get-Credential

PowerShell credential request
Enter your credentials.
User: xApprover_1
Password for user xApprover_1: **********


New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com -type LDAP

Get-PASLoggedOnUser

UserName    Source UserTypeName AgentUser Expired Disabled Suspended
--------    ------ ------------ --------- ------- -------- ---------
xApprover_1 LDAP   EPVUser      False     False   False    False

RADIUS Authentication

$cred = Get-Credential

PowerShell credential request
Enter your credentials.
User: DuoUser
Password for user DuoUser: **********


New-PASSession -Credential $cred -BaseURI https://pvwa.somedomain.com -type RADIUS -OTP 123456

Get-PASLoggedOnUser

UserName Source UserTypeName AgentUser Expired Disabled Suspended
-------- ------ ------------ --------- ------- -------- ---------
DuoUser  LDAP   EPVUser      False     False   False    False

SAML Authentication

SAML SSO authentication using IWA and ADFS can be performed

New-PASSession -BaseURI $url -SAMLAuth

Where IWA SSO is not possible, the PS-SAML-Interactive module can be used to get the SAMLResponse from an authentication service.

The SAMLResponse received from the IdP is sent to complete saml authentication to the API.

import-module -name 'C:\PS-SAML-Interactive.psm1'

$loginURL = 'https://company.okta.com/home/app1/0oa11xddwdzhvlbiZ5d7/aln1k2HsUl5d7'
$baseURL = 'https://pvwa.mycompany.com'

$loginResponse = New-SAMLInteractive -LoginIDP $loginURL

New-PASSession -SAMLAuth -concurrentSession $true -BaseURI $baseURL -SAMLResponse $loginResponse

Certificate Authentication

• Where PVWA/IIS requires client certificates, 'psPAS' will use any specified certificates for the duration of the session.

PKI Authentication Example:

Add-Type -AssemblyName System.Security
# Get Valid Certs
$MyCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem Cert:\CurrentUser\My)
# Select Cert
$Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection(
    $MyCerts,
    'Choose a certificate',
    'Choose a certificate',
    'SingleSelection'
) | select -First 1

New-PASSession -Credential $cred -BaseURI $url -type PKI -Certificate $Cert

Shared Authentication Example:

$Cert = "0E199489C57E666115666D6E9990C2ACABDB6EDB"
New-PASSession -UseSharedAuthentication -BaseURI https://pvwa.somedomain.com -CertificateThumbprint $Cert

Shared Services Authentication

Privilege Cloud Shared Services authentication flows require the pspete IdentityCommand module, available from the Powershell Gallery & GitHub.

Identity User

Provide Identity User credentials and tenant details for authentication to CyberArk Identity for Privilege Cloud Shared Services:

#using URL
New-PASSession -IdentityTenantURL https://SomeTenantName.id.cyberark.cloud -PrivilegeCloudURL https://SomeTenant.privilegecloud.cyberark.cloud -Credential $Cred -IdentityUser

#using subdomain
New-PASSession -TenantSubdomain SomeTenantName -Credential $Cred -IdentityUser

Service User

Provide tenant ID and non-interactive API User credentials for authentication via CyberArk Identity for Privilege Cloud Shared Services:

New-PASSession -TenantSubdomain YourPrivilegeCloudTenantID -Credential $ServiceUserCreds -ServiceUser

Consult the vendor documentation for guidance on setting up a dedicated API Service user for non-interactive API use.

Basic Operations

Search

Safes

• Get information relating to Safes you have access to:

Get-PASSafe -search _YZO

SafeName           ManagingCPM     NumberOfDaysRetention NumberOfVersionsRetention Description
--------           -----------     --------------------- ------------------------- -----------
1_TestSafe_096_YZO PasswordManager                       3                         TestSafe: 1_TestSafe_096_YZO
1_TestSafe_100_YZO PasswordManager                       3                         TestSafe: 1_TestSafe_100_YZO
3_TestSafe_058_YZO PasswordManager                       3                         TestSafe: 3_TestSafe_058_YZO
3_TestSafe_068_YZO PasswordManager                       3                         TestSafe: 3_TestSafe_068_YZO
3_TestSafe_069_YZO PasswordManager                       3                         TestSafe: 3_TestSafe_069_YZO
2_TestSafe_090_YZO PasswordManager                       3                         TestSafe: 2_TestSafe_090_YZO
1_TestSafe_067_YZO PasswordManager                       3                         TestSafe: 1_TestSafe_067_YZO

Safe Members

• Find Safe Members:

Get-PASSafeMember -SafeName 1_TestSafe_067_YZO -search Usr

UserName                     SafeName           Permissions
--------                     --------           -----------
ACC-G-1_TestSafe_067_YZO-Usr 1_TestSafe_067_YZO @{useAccounts=True; retrieveAccounts=True; listAccounts=True; addAccounts=False;.....

Users

• Query for Vault Users:

Get-PASUser -Search xap

ID  UserName    Source UserType ComponentUser Location
--  --------    ------ -------- ------------- --------
657 xApprover_A LDAP   EPVUser  False         \psPETE\Users
658 xApprover_1 LDAP   EPVUser  False         \psPETE\Users
659 xApprover_B LDAP   EPVUser  False         \psPETE\Users
660 xApprover_2 LDAP   EPVUser  False         \psPETE\Users
661 xApprover_C LDAP   EPVUser  False         \psPETE\Users
662 xApprover_3 LDAP   EPVUser  False         \psPETE\Users

Accounts

• Return Account data:

Get-PASAccount -SafeName "3_TestSafe_028_XYJ" -search sbwudlov

AccountID                 : 286_4
Safe                      : 3_TestSafe_028_XYJ
address                   : SOMEDOMAIN.COM
userName                  : sbwudlov
name                      : Operating System-Z_WINDOMAIN_OFF-SOMEDOMAIN.COM-sbwudlov
platformId                : Z_WINDOMAIN_OFF
secretType                : password
p