Install the CyberArk Identity AWS PowerShell utility

This section describes how to install version 10 of the CyberArk Identity AWS PowerShell utility.

What's new in v10

  • Profiles are stored in the AWS credentials file. The same profile can be used for both AWS CLI and PowerShell commands.

  • The AWS apps list is sorted by name.

  • The role list is sorted.

  • The profile name contains the account number. Now, multiple profiles on multiple AWS accounts with the same name can be differentiated.

Before you begin

  1. Install the AWS CLI.

  2. Install the AWS PowerShell kit.

This PowerShell utility has been tested on the following version of the AWS PowerShell tool:

  • AWS Tools for Windows: PowerShell Version 3.3.197.0

  • Amazon Web Services SDK for .NET: Core Runtime Version 3.3.20.0

Install the CyberArk Identity PowerShell utility

  1. Download AWS CLI Tools from the Admin Portal.

  2. Unzip the file into a new folder.

  3. Run Windows PowerShell for AWS as an administrator.

  4. Run Set-ExecutionPolicy Unrestricted to enable the scripts.

  5. Run [System.Net.ServicePointManager]::SecurityProtocol and check for TLS12 in the resulting output. If there is no TLS12 in the protocol list, run the following commands:

    $AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
  6. If you are working behind a proxy server, run the following commands to enable your Powershell session to use proxy credentials:

    $webclient=New-Object System.Net.WebClient
    $creds=Get-Credential
    $webclient.Proxy.Credentials=$creds
  7. Navigate to the aws-cli-utilities-master\AWS Powershell - Idaptive v1 folder that was previously unzipped and run the following command, replacing the tenant variable as needed:

    .\Authenticate.ps1 –Tenant <Tenant.idaptive.app> -Location “\absolute_path\aws\credentials”
    • Both the Tenant and Location parameters are optional.

    • Tenant points to pod0.idaptive.app by default.

    • Location specifies the absolute path of the AWS credentials file.

    • If the location is not specified, the default location USER_HOME/.aws/credentials is used.

  8. Enter your CyberArk Identity credentials for authentication.

    Credentials may be a MFA per user configuration.

    Once this is authenticated, all authorized AWS applications are listed.

  9. Choose an application by entering the number of the application.

    Running an application generates a SAML, and the SAML is posted to AWS for its credentials.

  10. Choose an AWS role.

    If the inputs are correct, the AWS credentials are saved in the profile <ProfileName>. Use <ProfileName> to run AWS commands. For example:

    Get-S3Bucket -ProfileName <ProfileName>
  11. To set your default region, use the following AWS commands:

    Set-DefaultAWSRegion -Region <region>
    Where region = us-east-1, us-west-1 etc.

Logging – verbose output

Start logging

To turn on logging and see the verbose output, run the following command:

Shell

$VerbosePreference="Continue"

Stop logging

To turn off logging, run the following command:

$VersbosePreference="SilentlyContinue"