AWS CLI for CyberArk Identity
Install AWS CLI for CyberArk Identity
Install AWS CLI for CyberArk Identity using the following steps.
Step 1: Install Python
Install Python using the guidelines for your operating system:
Linux may have an old version of Python. The following instructions will install Python 3.5.2 as an alternative installation option. Ensure you are using python 3.5.2 or later versions when running AWS CLI for Idaptive.
Python is invoked with the python/pip
command.
Run the following set of commands to install Python 3.5.2 for Linux:
yum install gcc cd /opt wget https://www.python.org/ftp/python/3.5.2/Python-3.5.2.tgz tar xzf Python-3.5.2.tgz cd Python-3.5.2 ./configure make altinstall python3.5 --version pip3.5 –version pip3.5 install --upgrade pip
pip3.5 –version
will show version 8.1.1
pip3.5 install --upgrade pip
will show version 8.1.2
-
Download the appropriate windows installer.
-
Run the installer.
-
Run the command
pip install --upgrade pip
.
Step 2: Library installations
To install the required libraries, run the following commands from the command terminal:
pip3.5 install requests
pip3.5 install boto3
Step 3: AWS CLI installation
You must run the following commands even if you already have AWS CLI installed. Otherwise, some modules (for example, colorama) will not be installed.
To install AWS CLI, run pip3.5 install awscli --ignore-installed six
.
To ensure AWS is installed properly, run aws help
.
Step 4: Configuration file setup
To download CLI and edit the configuration files:
-
Login to the CyberArk Identity Admin Portal and go to Downloads.
-
Expand CLI Tools and click Download.
-
Extract the contents of the downloaded
aws-cli-utilities-master.zip
file. -
Change directory to
AWS CLI - Idaptive V1
. -
If your organization uses a proxy server, then open the
proxy.properties
file and edit it according to the following table.Edit line
No Proxy
With Proxy
[Proxy]
Do not modify
Do not modify
proxy=no
Ensure
proxy
is set tono
Set
proxy
toyes
http_proxy=PROXY_VALUE
No proxy value required
Replace
PROXY_VALUE
with the value of your proxyhttps_proxy=HTTP_PROXY
No https proxy required
Replace
HTTP_PROXY
with the value of your http proxyproxy_user=PROXY_USER
No change required
Replace
PROXY_USER
with the value of your proxy user for proxy server authentication. If not user-specific, use the valueno
.This is not the CyberArk Identity instance authentication.
proxy_password=PROXY_PASSWORD
No change required
Replace
PROXY_PASSWORD
with the value of your proxy user password for proxy server authentication.If the proxy user value is
no
, updatePROXY_PASSWORD
with a base64 encoded value of the proxy server password.
Step 5: Create cacerts.pem file
This step is not required unless you change the AWSCLI.py script to enable certificate pinning. By default, certificate pinning is disabled.
Because certificate pinning is disabled by default as of the 22.3 release, the embedded certificate no longer requires annual renewal.
There are two different ways to cacerts.pem
file.
-
Open your Identity instance in your browser. For example, open
pod0.idaptive.app
orpod0.cyberark.cloud
in Firefox. -
Click on the browser's lock icon located to the left side of the URL.
-
Click on the arrow, then click More Information to view security information.
-
Click on the View Certificate button.
-
In the Certificate Viewer, click on Detail to view the certificate chain.
Certificate type
Certificate example
Leaf certificate
*.instance.idaptive.app
*instance.cyberark.cloud
Intermediate certificate
Go Daddy Secure certificate authority - G2
Root certificate
Go Daddy Root Certificate authority - G2
-
Click on each certificate to save the files in .crt format.
-
Open the leaf certificate. For example:
*.instance.idaptive.app
*instance.cyberark.cloud
-
Open the intermediate certificate, copy the contents, and paste it as text after the leaf certificate content.
-
Open the root certificate, copy the contents, paste it after the intermediate certificate contents
-
Save the file to the root directory of the script. For example where the
AWSCLI.py
file exists. -
Rename the file to
cacerts_<tenant_name>.pem
, replacing<tenant_name>
with your tenant name.
-
Run the
openssl
unix command. Replaceyour_tenant
with your existing tenant.openssl s_client -connect your_tenant.idaptive.app:443 -showcerts 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts_your_tenant.pem
-
Open the
cacerts_ your_tenant.pem
file and append the following certificate text to the end of the file:-----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----
-
Save the
cacerts_your_tenant.pem
file in the root directory of the script. For example, where theAWSCLI.py
file is stored.
Run AWS CLI for CyberArk Identity
After downloading the AWSCLI.py
file, perform the following steps:
-
Move the
AWSCLI.py
file to another directory. -
Change the directory to the directory in which the
AWSCLI.py
file is saved. -
Begin the program by running the command
Python<version> AWSCLI.py
.
In addition, you can set the python environment variables for the path of python
and lib
.
Available command line arguments
Parameter |
Description |
---|---|
|
This parameter provides help for the program. For example:
|
|
Specify the full tenant URL in the command. For example, if the tenant URL is
If a value is not provided, this parameter indicates the tenant based on Start Authentication. |
|
Enter the AWS region. The default is |
|
This parameter will enable the debug option. |