Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/infamousjoeg/cybr-cli

A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with @CyberArk suite of products.
https://github.com/infamousjoeg/cybr-cli

cli client-library command-line command-line-interface command-line-tool conjur cyberark cyberark-identity cyberark-pas go golang iam identity-security pas-api privileged-access-security security

Last synced: about 15 hours ago
JSON representation

A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with @CyberArk suite of products.

Host: GitHub
URL: https://github.com/infamousjoeg/cybr-cli
Owner: infamousjoeg
License: apache-2.0
Created: 2020-08-02T20:41:16.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2024-12-11T23:33:42.000Z (2 months ago)
Last Synced: 2025-02-13T17:11:58.030Z (8 days ago)
Topics: cli, client-library, command-line, command-line-interface, command-line-tool, conjur, cyberark, cyberark-identity, cyberark-pas, go, golang, iam, identity-security, pas-api, privileged-access-security, security
Language: Go
Homepage:
Size: 471 MB
Stars: 73
Watchers: 8
Forks: 16
Open Issues: 19
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

README

        # cybr-cli 

![image](https://github.com/infamousjoeg/cybr-cli/assets/1924063/ff018174-2880-46f1-bd24-3262d1276b41)

A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with CyberArk's suite of products.

Current products supported:

* CyberArk Identity Security Platform Shared Services (ISPSS)

* CyberArk Privilege Cloud SaaS

* CyberArk Self-Hosted Privileged Access Manager (PAM)

* CyberArk Secrets Manager Central Credential Provider (CCP)

* CyberArk Conjur Secrets Manager Enterprise & [Open Source](https://conjur.org)

* CyberArk Cloud Entitlements Manager ([Free trial](https://www.cyberark.com/try-buy/cloud-entitlements-manager/))

**Want to get dangerous quickly?** Check out the example bash script at [dev/add-delete-pas-application.sh](dev/add-delete-pas-application.sh).

[![cybr-cli CI](https://github.com/infamousjoeg/cybr-cli/workflows/cybr-cli%20CI/badge.svg)](https://github.com/infamousjoeg/cybr-cli/actions?query=workflow%3A%22cybr-cli+CI%22) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=infamousjoeg_pas-api-go&metric=alert_status)](https://github.com/infamousjoeg/cybr-cli/actions?query=workflow%3ALint) [![CodeQL](https://github.com/infamousjoeg/cybr-cli/workflows/CodeQL/badge.svg)](https://github.com/infamousjoeg/cybr-cli/actions?query=workflow%3ACodeQL) [![](https://img.shields.io/github/downloads/infamousjoeg/cybr-cli/latest/total?color=blue&label=Download%20Latest%20Release&logo=github)](https://github.com/infamousjoeg/cybr-cli/releases/latest)

## Table of Contents 

- [Install](#install)

	- [MacOS](#macos)

	- [Windows](#windows)

        - [Linux](#linux)

	- [AWS CloudShell](#aws-cloudshell)

	- [Install from Source](#install-from-source)

- [Usage](#usage)

	- [Authenticating with authn-iam (AWS IAM Role Authentication)](#authenticating-with-authn-iam-aws-iam-role-authentication)

	- [Authenticating to Privilege Cloud via ISPSS (Identity)](#authenticating-to-privilege-cloud-via-ispss-identity)

		- [Password Authentication](#password-authentication)

		- [MFA Authentication](#mfa-authentication)

	- [Documentation](#documentation)

- [Autocomplete](#autocomplete)

- [Example Source Code](#example-source-code)

	- [Logon to the PAS REST API Web Service](#logon-to-the-pas-rest-api-web-service)

- [Security](#security)

	- [`cybr safes add-member --role` Role Permissions](#cybr-safes-add-member---role-role-permissions)

- [Testing](#testing)

- [Maintainers](#maintainers)

- [Contributions](#contributions)

- [License](#license)

## Install

### MacOS

```shell

$ brew tap infamousjoeg/tap

$ brew install cybr-cli

```

### Windows

```shell

$ winget install InfamousJoeG.cybr-cli

```

### Linux

Download from the [Releases](https://github.com/infamousjoeg/cybr-cli/releases) page.

### AWS CloudShell

```shell

mkdir -p ~/.local/bin && \

curl --silent "https://api.github.com/repos/infamousjoeg/cybr-cli/releases/latest" |

    grep '"tag_name":' |

    sed -E 's/.*"([^"]+)".*/\1/' |

    xargs -I {}  curl -o ~/.local/bin/cybr -sOL "https://github.com/infamousjoeg/cybr-cli/releases/download/"{}'/linux_cybr' && \

chmod +x ~/.local/bin/cybr

```

### Install from Source

```shell

$ git clone https://github.com/infamousjoeg/pas-api-go.git

$ make install

$ cybr help

```

## Usage

* `$ cybr help` for top-level commands list

* `$ cybr [command] -h` for specific command details and sub-commands list

### Authenticating with authn-iam (AWS IAM Role Authentication)

Set the following environment variables:

* `CONJUR_ACCOUNT` - The Conjur account name

* `CONJUR_APPLIANCE_URL` - The URL of the Conjur service (e.g. https://conjur.example.com)

* `CONJUR_AUTHN_LOGIN` - The Host ID for the IAM role (e.g. `host/cloud/aws/ec2/1234567890/ConjurAWSRoleEC2`)

* `CONJUR_AUTHENTICATOR` - The authenticator ID (e.g. `authn-iam`)

* `CONJUR_AUTHN_SERVICE_ID` - The authenticator web service ID (e.g. `prod`)

* `CONJUR_AWS_TYPE` - The AWS type (e.g. `ec2` or `ecs` or `lambda`)

Once environment variables are set, ensure no .conjurrc or .netrc exists in the user's home directory:

`rm -f ~/.conjurrc ~/.netrc`

Then run any command you wish to run within `cybr conjur`. Use the `--help` flag to see all available commands.

### Authenticating to Privilege Cloud via ISPSS (Identity)

You will need to know the following information to authenticate to Privilege Cloud via ISPSS:

	* `-b, --base-url` - The base URL of CyberArk Cloud (e.g. https://example.cyberark.cloud or https://example.privilegecloud.cyberark.cloud)

	* `-u, --username` - The username of the Privilege Cloud user (e.g. [email protected])

#### Password Authentication

```shell

$ cybr logon -u [email protected] -a identity -b https://example.cyberark.cloud

+ Challenge #1

Enter password:

```

After providing the password, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.

#### MFA Authentication

If MFA is required, the CLI will prompt for the challenge method to use out of those available:

```shell

$ cybr logon -u [email protected] -a identity -b https://example.cyberark.cloud

+ Challenge #1

Enter password:

+ Challenge #2

1. Email... @joe-garcia.com

2. SMS... XXX-1234

> 2

Enter code: 12341234

```

After providing the MFA code, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.

### Documentation

All commands are documentated [in the docs/ directory](docs/cybr.md).

## Autocomplete

The `cybr` CLI has a `completion` command that can be used to enable autocomplete for the CLI.

The completion command is dependant on your shell type. Currently the only shells that are supported are: bash, zsh, fish and powershell.

Below is an example on how to enable `cybr` cli auto-completion from a zsh shell.

```bash

# enable shell completetion. Only needs to be performed once.

echo "autoload -U compinit; compinit" >> ~/.zshrc

# create and write the auto-completion script.

# ${fpath[1]} '1' may be different depending on your environment.

cybr completion zsh > "${fpath[1]}/_cybr"

```

If you are using a different shell execute the `completion` command with the `--help` flag and follow instructions for the desired shell type.

```bash

cybr completion --help

```

## Example Source Code

### Logon to the PAS REST API Web Service

```go

package main

import (

	"fmt"

	"log"

	"os"

	pasapi "github.com/infamousjoeg/pas-api-go/pkg/cybr/api"

)

var (

	hostname = os.Getenv("PAS_BASE_URL")

	username = os.Getenv("PAS_USERNAME")

	password = os.Getenv("PAS_PASSWORD")

	authType = os.Getenv("PAS_AUTH_TYPE")

)

func main() {

	// Logon to PAS REST API Web Services

	token, errLogon := pasapi.Logon(hostname, username, password, authType, false)

	if errLogon != nil {

		log.Fatalf("Authentication failed. %s", errLogon)

	}

	fmt.Printf("Session Token:\r\n%s\r\n\r\n", token)

}

```

## Security

If there is a security concern or bug discovered, please responsibly disclose all information to joe (dot) garcia (at) cyberark (dot) com.

### `cybr safes add-member --role` Role Permissions

All safe member roles defined below are based on best practices and recommendations put forth by CyberArk's PAS Programs Office, creators of the CyberArk Blueprint for Identity Security.

|Role|Safe Authorizations|

|---|---|

|BreakGlass|All authorizations except Authorize Password Requests|

|VaultAdmin|- List Accounts
- View Audit Log
- View Safe Members|

|SafeManager|- Manage Safe
- Manage Safe Members
- View Audit Log
- View Safe Members
- Access Safe w/o Confirmation|

|EndUser|- Use/Retrieve/List Accounts
- View Audit Log
- View Safe Members|

|Auditor|- List Accounts
- View Audit Log
- View Safe Members|

|AIMWebService|No authorizations|

|AppProvider|- Retrieve/List Accounts
- View Safe Members|

|ApplicationIdentity|- Retrieve/List Accounts|

|AccountProvisioner|- List/Add/Delete Accounts
- Update Password Properties
- Initiate CPM Password Management Operations
- View Audit Log
- View Safe Members
- Access Safe w/o Confirmation|

|CPDeployer|- List/Add Accounts
- Update Password Properties
- Initiate CPM Password Management Operations
- Manage Safe Member
- View Audit Log, View Safe Members
- Access Safe w/o Confirmation|

|ComponentOrchestrator|- List/Add Accounts
- Update Password Properties
- Initiate CPM Password Management Operations
- View Audit Log
- Access Safe w/o Confirmation|

|APIAutomation|- List/Add/Rename/Delete/Unlock Accounts
- Update Password Content/Properties
- Initiate CPM Password Management Operations
- Manage Safe
- Manage Safe Members
- View Audit Log
- View Safe Members
- Create/Delete Folders
- Move Accounts/Folders|

|PasswordScheduler|- List Accounts
- Initiate CPM Password Management Operation
- View Audit Log
- View Safe Members
- Access Safe w/o Confirmation|

|ApproverLevel1|- List Accounts
- View Audit Log
- View Safe Members
- Authorize Password Requests (Level 1)|

|ApproverLevel2|- List Acccounts
- View Audit Log
- View Safe Members
- Authorize Password Requests (Level 2)|

## Testing

To vet the code, run `make vet`.

To test the code, run `make test`.

To run all tests, run `make test-all`.

## Maintainers

[@infamousjoeg](https://github.com/infamousjoeg)

[![Buy me a coffee][buymeacoffee-shield]][buymeacoffee]

[buymeacoffee]: https://www.buymeacoffee.com/infamousjoeg

[buymeacoffee-shield]: https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png

[@AndrewCopeland](https://github.com/AndrewCopeland)

## Contributions

Pull Requests are currently being accepted.  Please read and follow the guidelines laid out in [CONTRIBUTING.md]().

## License

[Apache 2.0](LICENSE)