AWS CLI for CyberArk Identity

Install AWS CLI for CyberArk Identity

Install AWS CLI for CyberArk Identity using the following steps.

Step 1: Install Python

Install Python using the guidelines for your operating system:

Linux may have an old version of Python. The following instructions will install Python 3.5.2 as an alternative installation option. Ensure you are using python 3.5.2 or later versions when running AWS CLI for Idaptive.

Python is invoked with the python/pip command.

Run the following set of commands to install Python 3.5.2 for Linux:

yum  install  gcc
cd  /opt 
wget https://www.python.org/ftp/python/3.5.2/Python-3.5.2.tgz
tar  xzf Python-3.5.2.tgz 
cd  Python-3.5.2  
./configure  
make  altinstall  
python3.5  --version  
pip3.5  –version  
pip3.5  install  --upgrade  pip

pip3.5 –version will show version 8.1.1

pip3.5 install --upgrade pip will show version 8.1.2

  1. Download the appropriate windows installer.

  2. Run the installer.

  3. Run the command pip install --upgrade pip.

Step 2: Library installations

To install the required libraries, run the following commands from the command terminal:

pip3.5  install  requests  
pip3.5  install  boto3

Step 3: AWS CLI installation

You must run the following commands even if you already have AWS CLI installed. Otherwise, some modules (for example, colorama) will not be installed.

To install AWS CLI, run pip3.5 install awscli --ignore-installed six.

To ensure AWS is installed properly, run aws help .

Step 4: Configuration file setup

To download CLI and edit the configuration files:

  1. Login to the CyberArk Identity Admin Portal and go to Downloads.

  2. Expand CLI Tools and click Download.

  3. Extract the contents of the downloaded aws-cli-utilities-master.zip file.

  4. Change directory to AWS CLI - Idaptive V1.

  5. If your organization uses a proxy server, then open the proxy.properties file and edit it according to the following table.

    Edit line

    No Proxy

    With Proxy

    [Proxy]

    Do not modify

    Do not modify

    proxy=no

    Ensure proxy is set to no

    Set proxy to yes

    http_proxy=PROXY_VALUE

    No proxy value required

    Replace PROXY_VALUE with the value of your proxy

    https_proxy=HTTP_PROXY

    No https proxy required

    Replace HTTP_PROXY with the value of your http proxy

    proxy_user=PROXY_USER

    No change required

    Replace PROXY_USER with the value of your proxy user for proxy server authentication. If not user-specific, use the value no.

    This is not the CyberArk Identity instance authentication.

    proxy_password=PROXY_PASSWORD

    No change required

    Replace PROXY_PASSWORD with the value of your proxy user password for proxy server authentication.

    If the proxy user value is no, update PROXY_PASSWORD with a base64 encoded value of the proxy server password.

Step 5: Create cacerts.pem file

This step is not required unless you change the AWSCLI.py script to enable certificate pinning. By default, certificate pinning is disabled.

Because certificate pinning is disabled by default as of the 22.3 release, the embedded certificate no longer requires annual renewal.

There are two different ways to cacerts.pem file.

  1. Open your Identity instance in your browser. For example, open pod0.idaptive.app or pod0.cyberark.cloud in Firefox.

  2. Click on the browser's lock icon located to the left side of the URL.

  3. Click on the arrow, then click More Information to view security information.

  4. Click on the View Certificate button.

  5. In the Certificate Viewer, click on Detail to view the certificate chain.

    Certificate type

    Certificate example

    Leaf certificate

    *.instance.idaptive.app

    *instance.cyberark.cloud

    Intermediate certificate

    Go Daddy Secure certificate authority - G2

    Root certificate

    Go Daddy Root Certificate authority - G2

  6. Click on each certificate to save the files in .crt format.

  7. Open the leaf certificate. For example:

    *.instance.idaptive.app

    *instance.cyberark.cloud

  8. Open the intermediate certificate, copy the contents, and paste it as text after the leaf certificate content.

  9. Open the root certificate, copy the contents, paste it after the intermediate certificate contents

  10. Save the file to the root directory of the script. For example where the AWSCLI.py file exists.

  11. Rename the file to cacerts_<tenant_name>.pem, replacing <tenant_name> with your tenant name.

  1. Run the openssl unix command. Replace your_tenant with your existing tenant.

    openssl  s_client  -connect  your_tenant.idaptive.app:443 -showcerts  2>&1  |  sed  -ne  '/-BEGIN  CERTIFICATE-/,/-END  CERTIFICATE-/p'  >  cacerts_your_tenant.pem

  2. Open the cacerts_ your_tenant.pem file and append the following certificate text to the end of the file:

    -----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

  3. Save the cacerts_your_tenant.pem file in the root directory of the script. For example, where the AWSCLI.py file is stored.

Run AWS CLI for CyberArk Identity

After downloading the AWSCLI.py file, perform the following steps:

  1. Move the AWSCLI.py file to another directory.

  2. Change the directory to the directory in which the AWSCLI.py file is saved.

  3. Begin the program by running the command Python<version> AWSCLI.py.

In addition, you can set the python environment variables for the path of python and lib.

Available command line arguments

Parameter

Description

-h / -help

This parameter provides help for the program.

For example:

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python  AWSCLI.py  -h
usage:  AWSCLI.py  [-h]  [-tenant  TENANT]  [-region  REGION]  [-debug]
    
Enter  Idaptive  Credentials  and  choose  AWS  Role  to  create  AWS  Profile.  Use  this AWS  Profile  to  run  AWS  commands.
    
optional  arguments:
    -h,  --help                        show  this  help  message  and  exit
    -tenant  TENANT,  -t  TENANT       Enter  tenant  url  or  name  e.g. pod0.idaptive.app or cloud-region  REGION,  
    -r  REGION                         Enter  AWS  region.  Default  is  us-west-2  
    -debug,  -d                        This  will  make  debug  on

-t / -tenant

Specify the full tenant URL in the command.

For example, if the tenant URL is https://abp5986.id.integration-cyberark.cloud, then this parameter can be used in the following ways:

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python AWSCLI.py -t abp5986.id.integration-cyberark.cloud  

OR

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python AWSCLI.py -t pod0.idaptive.app

OR

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python AWSCLI.py -t pod1009 (for pods with format {podname}.idaptive.app)

If a value is not provided, this parameter indicates the tenant based on Start Authentication.

-r

Enter the AWS region. The default is us-west-2. Use this parameter by default while running the program.

-d / -debug

This parameter will enable the debug option.