Skip to main content
CyberArk Authentication Guide

How to authenticate CyberArk Password Vault for use with Tines

Daniel Stoeski avatar
Written by Daniel Stoeski
Updated over 7 months ago

CyberArk allows you to seamlessly secure identities while accessing any resource across any infrastructure, including hybrid, SaaS and multi-cloud.

You will need the following resources to setup CyberArk Password Vault authentication:

  • CyberArk Password Vault URL

  • CyberArk Password Vault Username (for On-Premise)/CyberArk Password Vault Client ID (for SaaS)

  • CyberArk Password Vault Password (for On-Premise)/CyberArk Password Vault Client Secret (for SaaS)

  • CyberArk Password Vault Account ID (the ID of the specific service/application you need to retrieve credentials for)

Create CyberArk Password Vault resources and credentials in Tines

You will need to create:

  • Three resources: "CyberArk Password Vault URL", "CyberArk Password Vault Username"(for On-Premise)/"CyberArk Password Vault Client ID"(for SaaS), and "CyberArk Password Vault Account ID"

  • Two HTTP Request type credentials: "CyberArk Password Vault Token" and "CyberArk Password Vault <Service> Token"

Resources

  1. Login to your Tines tenant

  2. Navigate to the team that will be using the API and click "Resource"

  3. Click "+ New Resource"

  4. Input the values for the CyberArk Password Vault resource

    1. Name: CyberArk Password Vault URL

    2. Description: Optional

    3. Builder: Your CyberArk Password Vault URL

  5. Optional

    1. Access: What other teams can also use the resource

  6. Click "Save resource"

  7. Click "+ New Resource"

  8. Input the values for the CyberArk Password Vault resource

    1. Name: CyberArk Password Vault Username (for On-Premise)/CyberArk Password Vault Client ID (for SaaS)

    2. Description: Optional

    3. Builder: CyberArk Password Vault Username (for On-Premise)/CyberArk Password Vault Client ID (for SaaS)

  9. Optional

    1. Access: What other teams can also use the resource

  10. Click "Save resource"

  11. Click "+ New Resource"

  12. Input the values for the CyberArk Password Vault resource

    1. Name: CyberArk Password Vault Account ID

    2. Description: Optional

    3. Builder: Your CyberArk Password Vault Account ID

  13. Optional

    1. Access: What other teams can also use the resource

  14. Click "Save resource"

Credentials

Step 1

To generate a CyberArk Password Vault bearer token, follow the steps outlined for the appropriate scenario.

Scenario 1: Tines Cloud Hosted and SaaS CyberArk Password Vault

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/oauth2/platformtoken

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section:

      { 
      "client_id": "<<RESOURCE.cyberark_password_client_id>>",
      "client_secret": "<<secret>>",
      "grant_type": "client_credentials",
      "concurrentSession": "True"
      }

    7. Secret: CyberArk Password Vault Client Secret

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_token.body

  7. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  8. Click "Save"

Scenario 2: Tines Cloud hosted and On-Premise CyberArk Password Vault

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/passwordvault/api/Auth/cyberark/logon

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section:

      {
      "username": "<<RESOURCE.cyberark_password_vault_username>>",
      "password": "<<secret>>",
      "concurrentSession": "true"
      }

    7. Secret: CyberArk Password Vault Password

    8. Click "+ Add option" and add "Use tunnel"

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_token.body

  7. TTL: 30

  8. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  9. Click "Save"

Scenario 3: Tines Self Hosted and On-Premise CyberArk Password Vault

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/passwordvault/api/Auth/cyberark/logon

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section:

      {
      "username": "<<RESOURCE.cyberark_password_vault_username>>",
      "password": "<<secret>>",
      "concurrentSession": "true"
      }

    7. Secret: CyberArk Password Vault Password

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_token.body

  7. TTL: 30

  8. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  9. Click "Save"

Step 2

Now that the CyberArk Password Vault bearer token is stored in a credential, the token can be leveraged to make a subsequent call to retrieve specific service/application credentials.

For Service/Application token (SaaS):

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault <Service> Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>.priviledecloud.cyberark.cloud/PasswordVault/API/Accounts/<<RESOURCE.cyberark_password_vault_account_id>>/Password/Retrieve

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section and modify as required:

      {
      "reason": "EnterReason"
      }

    7. Headers: "Authorization": "<<CREDENTIAL.cyberark_password_vault_token>>"

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_<service>_token.body where <service> is the service you are retrieving the credentials for

  7. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  8. Click "Save"

For Service/Application token (On-Premise):

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault <Service> Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/passwordvault/api/accounts/<<RESOURCE.cyberark_password_vault_account_id>>/password/retrieve

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section and modify as required:

      {
      "reason": "api testing",
      "TicketingSystem": "SIR12342134",
      "TicketId": "CHG0000123",
      "ActionType": "show",
      "isUse": false,
      "Machine": "tines"
      }

    7. Headers: "Authorization": "<<CREDENTIAL.cyberark_password_vault_token>>"

    8. (Optional) Click "+ Add option" and add "Use tunnel"

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_<service>_token.body where <service> is the service you are retrieving the credentials for

  7. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  8. Click "Save"

Your credentials should look like the following:

Step 1

For Scenario 1:

For Scenario 2:

For Scenario 3:

Step 2

For Service/Application token (SaaS):

For Service/Application token (On-Premise):

More on creating credentials in Tines here.

You can also find a selection of CyberArk Password Vault stories in the story library.

Did this answer your question?