Install the AWS CLI for CyberArk Identity

This section describes how to install and run the AWS CLI for CyberArk Identity.

Install the AWS CLI for CyberArk Identity

Step 1: Install Python

Install Python using the guidelines for your operating system:

Linux may have an old version of Python. The following instructions install Python 3.5.2 as an alternative installation option. Ensure you are using python 3.5.2 or later versions when running AWS CLI for Idaptive.

Python is invoked with the python/pip command.

Run the following set of commands to install Python 3.5.2 for Linux:

yum  install  gcc
cd  /opt 
wget https://www.python.org/ftp/python/3.5.2/Python-3.5.2.tgz
tar  xzf Python-3.5.2.tgz 
cd  Python-3.5.2  
./configure  
make  altinstall  
python3.5  --version  
pip3.5  –version  
pip3.5  install  --upgrade  pip

pip3.5 –version will show version 8.1.1

pip3.5 install --upgrade pip will show version 8.1.2

  1. Download the appropriate Windows installer.

  2. Run the installer.

  3. Run the command pip install --upgrade pip.

Step 2: Install the libraries

To install the required libraries, run the following commands from the command terminal:

pip3.5  install  requests  
pip3.5  install  boto3

Step 3: Install the AWS CLI

You must run the following commands even if you already have AWS CLI installed. Otherwise, some modules (for example, colorama) will not be installed.

  1. To install the AWS CLI, run pip3.5 install awscli --ignore-installed six.

  2. To ensure that AWS is installed properly, run aws help .

Step 4: Download the CLI and edit the configuration file

  1. Log in to the CyberArk Identity Admin Portal and go to Downloads.

  2. Expand CLI Tools and click Download.

  3. Extract the contents of the downloaded aws-cli-utilities-master.zip file.

  4. Change directory to AWS CLI - Idaptive V1.

  5. If your organization uses a proxy server, open the proxy.properties file and edit it according to the following table.

    Edit line

    No proxy

    With a proxy

    [Proxy]

    Do not modify.

    Do not modify.

    proxy=no

    Ensure that proxy is set to no.

    Set proxy to yes.

    http_proxy=PROXY_VALUE

    No value is required.

    Replace PROXY_VALUE with the value of your proxy.

    https_proxy=HTTP_PROXY

    No value is required.

    Replace HTTP_PROXY with the value of your HTTP proxy.

    proxy_user=PROXY_USER

    No change required.

    Replace PROXY_USER with the value of your proxy user for proxy server authentication. If it is not user-specific, use the value no.

    This is not the authentication of the CyberArk Identity instance.

    proxy_password=PROXY_PASSWORD

    No change required.

    Replace PROXY_PASSWORD with the value of your proxy user password for proxy server authentication.

    If the proxy_user value is no, update PROXY_PASSWORD with a base64-encoded value of the proxy server password.

Step 5: Create the cacerts.pem file

This step is not required unless you change the AWSCLI.py script to enable certificate pinning. By default, certificate pinning is disabled.

Because certificate pinning is disabled by default as of the 22.3 release, the embedded certificate no longer requires annual renewal.

There are two different ways to create the cacerts.pem file.

  1. Open your CyberArk Identity instance in your browser. For example, open pod0.idaptive.app or pod0.cyberark.cloud in Firefox.

  2. Click the browser's lock button, located to the left side of the URL.

  3. Click the arrow, and then click More Information to view the security information.

  4. Click the View Certificate button.

  5. In the Certificate Viewer, click Detail to view the certificate chain.

    Certificate type

    Certificate example

    Leaf certificate

    *.instance.idaptive.app

    *instance.cyberark.cloud

    Intermediate certificate

    Go Daddy Secure certificate authority - G2

    Root certificate

    Go Daddy Root Certificate authority - G2

  6. Click each certificate to save the files in .crt format.

  7. Open the leaf certificate. For example:

    *.instance.idaptive.app

    *instance.cyberark.cloud

  8. Open the intermediate certificate, copy the contents, and paste them as text after the leaf certificate content.

  9. Open the root certificate, copy the contents, and paste them after the intermediate certificate contents.

  10. Save the file to the root directory of the script. For example, where the AWSCLI.py file exists.

  11. Rename the file to cacerts_<tenant_name>.pem, replacing <tenant_name> with your tenant name.

  1. Run the openssl UNIX command. Replace your_tenant with your existing tenant.

    openssl  s_client  -connect  your_tenant.idaptive.app:443 -showcerts  2>&1  |  sed  -ne  '/-BEGIN  CERTIFICATE-/,/-END  CERTIFICATE-/p'  >  cacerts_your_tenant.pem
  2. Open the cacerts_ your_tenant.pem file and append the following certificate text to the end of the file:

    -----BEGIN CERTIFICATE-----
    MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
    QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
    b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
    9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
    CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
    nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
    43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
    T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
    gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
    BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
    TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
    DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
    hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
    06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
    PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
    YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
    CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
    -----END CERTIFICATE-----
  3. Save the cacerts_your_tenant.pem file in the root directory of the script. For example, where the AWSCLI.py file is stored.

Run the AWS CLI for CyberArk Identity

After downloading the AWSCLI.py file, perform the following steps:

  1. Move the AWSCLI.py file to another directory.

  2. Change the directory to the directory in which the AWSCLI.py file is saved.

  3. Begin the program by running the command Python<version> AWSCLI.py.

In addition, you can set the Python environment variables for the path of python and lib.

Available command line arguments

Parameter

Description

-h / -help

This parameter provides help for the program.

For example:

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python  AWSCLI.py  -h
usage:  AWSCLI.py  [-h]  [-tenant  TENANT]  [-region  REGION]  [-debug]
    
Enter  Idaptive  Credentials  and  choose  AWS  Role  to  create  AWS  Profile.  Use  this AWS  Profile  to  run  AWS  commands.
    
optional  arguments:
    -h,  --help                        show  this  help  message  and  exit
    -tenant  TENANT,  -t  TENANT       Enter  tenant  url  or  name  e.g. pod0.idaptive.app or cloud-region  REGION,  
    -r  REGION                         Enter  AWS  region.  Default  is  us-west-2  
    -debug,  -d                        This  will  make  debug  on

-t / -tenant

Specify the full tenant URL in the command.

For example, if the tenant URL is https://abp5986.id.integration-cyberark.cloud, this parameter can be used in the following ways:

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python AWSCLI.py -t abp5986.id.integration-cyberark.cloud  

OR

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python AWSCLI.py -t pod0.idaptive.app

OR

C:\aws-cli-utilities-master\AWS CLI - Idaptive V1>python AWSCLI.py -t pod1009 (for pods with format {podname}.idaptive.app)

If a value is not provided, this parameter indicates the tenant based on Start Authentication.

-r

Enter the AWS region. The default is us-west-2. Use this parameter by default while running the program.

-d / -debug

This parameter enables the debug option.