Install the AWS CLI for CyberArk Identity
This section describes how to install and run the AWS CLI for CyberArk Identity.
Install the AWS CLI for CyberArk Identity
Step 1: Install Python
Install Python using the guidelines for your operating system:
Linux may have an old version of Python. The following instructions install Python 3.5.2 as an alternative installation option. Ensure you are using python 3.5.2 or later versions when running AWS CLI for Idaptive.
Python is invoked with the python/pip
command.
Run the following set of commands to install Python 3.5.2 for Linux:
yum install gcc cd /opt wget https://www.python.org/ftp/python/3.5.2/Python-3.5.2.tgz tar xzf Python-3.5.2.tgz cd Python-3.5.2 ./configure make altinstall python3.5 --version pip3.5 –version pip3.5 install --upgrade pip
pip3.5 –version
will show version 8.1.1
pip3.5 install --upgrade pip
will show version 8.1.2
-
Download the appropriate Windows installer.
-
Run the installer.
-
Run the command
pip install --upgrade pip
.
Step 2: Install the libraries
To install the required libraries, run the following commands from the command terminal:
pip3.5 install requests
pip3.5 install boto3
Step 3: Install the AWS CLI
You must run the following commands even if you already have AWS CLI installed. Otherwise, some modules (for example, colorama) will not be installed.
-
To install the AWS CLI, run
pip3.5 install awscli --ignore-installed six
. -
To ensure that AWS is installed properly, run
aws help
.
Step 4: Download the CLI and edit the configuration file
-
Log in to the CyberArk Identity Admin Portal and go to Downloads.
-
Expand CLI Tools and click Download.
-
Extract the contents of the downloaded
aws-cli-utilities-master.zip
file. -
Change directory to
AWS CLI - Idaptive V1
. -
If your organization uses a proxy server, open the
proxy.properties
file and edit it according to the following table.Edit line
No proxy
With a proxy
[Proxy]
Do not modify.
Do not modify.
proxy=no
Ensure that
proxy
is set tono
.Set
proxy
toyes
.http_proxy=PROXY_VALUE
No value is required.
Replace
PROXY_VALUE
with the value of your proxy.https_proxy=HTTP_PROXY
No value is required.
Replace
HTTP_PROXY
with the value of your HTTP proxy.proxy_user=PROXY_USER
No change required.
Replace
PROXY_USER
with the value of your proxy user for proxy server authentication. If it is not user-specific, use the valueno
.This is not the authentication of the CyberArk Identity instance.
proxy_password=PROXY_PASSWORD
No change required.
Replace
PROXY_PASSWORD
with the value of your proxy user password for proxy server authentication.If the
proxy_user
value isno
, updatePROXY_PASSWORD
with a base64-encoded value of the proxy server password.
Step 5: Create the cacerts.pem file
This step is not required unless you change the AWSCLI.py script to enable certificate pinning. By default, certificate pinning is disabled.
Because certificate pinning is disabled by default as of the 22.3 release, the embedded certificate no longer requires annual renewal.
There are two different ways to create the cacerts.pem
file.
-
Open your CyberArk Identity instance in your browser. For example, open
pod0.idaptive.app
orpod0.cyberark.cloud
in Firefox. -
Click the browser's lock button, located to the left side of the URL.
-
Click the arrow, and then click More Information to view the security information.
-
Click the View Certificate button.
-
In the Certificate Viewer, click Detail to view the certificate chain.
Certificate type
Certificate example
Leaf certificate
*.instance.idaptive.app
*instance.cyberark.cloud
Intermediate certificate
Go Daddy Secure certificate authority - G2
Root certificate
Go Daddy Root Certificate authority - G2
-
Click each certificate to save the files in .crt format.
-
Open the leaf certificate. For example:
*.instance.idaptive.app
*instance.cyberark.cloud
-
Open the intermediate certificate, copy the contents, and paste them as text after the leaf certificate content.
-
Open the root certificate, copy the contents, and paste them after the intermediate certificate contents.
-
Save the file to the root directory of the script. For example, where the
AWSCLI.py
file exists. -
Rename the file to
cacerts_<tenant_name>.pem
, replacing<tenant_name>
with your tenant name.
-
Run the
openssl
UNIX command. Replaceyour_tenant
with your existing tenant.openssl s_client -connect your_tenant.idaptive.app:443 -showcerts 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts_your_tenant.pem
-
Open the
cacerts_ your_tenant.pem
file and append the following certificate text to the end of the file:-----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----
-
Save the
cacerts_your_tenant.pem
file in the root directory of the script. For example, where theAWSCLI.py
file is stored.
Run the AWS CLI for CyberArk Identity
After downloading the AWSCLI.py
file, perform the following steps:
-
Move the
AWSCLI.py
file to another directory. -
Change the directory to the directory in which the
AWSCLI.py
file is saved. -
Begin the program by running the command
Python<version> AWSCLI.py
.
In addition, you can set the Python environment variables for the path of python
and lib
.
Parameter |
Description |
---|---|
|
This parameter provides help for the program. For example:
|
|
Specify the full tenant URL in the command. For example, if the tenant URL is
If a value is not provided, this parameter indicates the tenant based on Start Authentication. |
|
Enter the AWS region. The default is |
|
This parameter enables the debug option. |