All Collections
Tines How To
How To Article
Authentication Guides
CyberArk Authentication Guide
CyberArk Authentication Guide

How to authenticate CyberArk Password Vault for use with Tines

Daniel Stoeski avatar
Written by Daniel Stoeski
Updated this week

CyberArk allows you to seamlessly secure identities while accessing any resource across any infrastructure, including hybrid, SaaS and multi-cloud.

You will need the following resources to setup CyberArk Password Vault authentication:

  • CyberArk Password Vault URL

  • CyberArk Password Vault Username (for On-Premise)/CyberArk Password Vault Client ID (for SaaS)

  • CyberArk Password Vault Password (for On-Premise)/CyberArk Password Vault Client Secret (for SaaS)

  • CyberArk Password Vault Account ID (the ID of the specific service/application you need to retrieve credentials for)

Create CyberArk Password Vault resources and credentials in Tines

You will need to create:

  • Three resources: "CyberArk Password Vault URL", "CyberArk Password Vault Username"(for On-Premise)/"CyberArk Password Vault Client ID"(for SaaS), and "CyberArk Password Vault Account ID"

  • Two HTTP Request type credentials: "CyberArk Password Vault Token" and "CyberArk Password Vault <Service> Token"

Resources

  1. Login to your Tines tenant

  2. Navigate to the team that will be using the API and click "Resource"

  3. Click "+ New Resource"

  4. Input the values for the CyberArk Password Vault resource

    1. Name: CyberArk Password Vault URL

    2. Description: Optional

    3. Builder: Your CyberArk Password Vault URL

  5. Optional

    1. Access: What other teams can also use the resource

  6. Click "Save resource"

  7. Click "+ New Resource"

  8. Input the values for the CyberArk Password Vault resource

    1. Name: CyberArk Password Vault Username (for On-Premise)/CyberArk Password Vault Client ID (for SaaS)

    2. Description: Optional

    3. Builder: CyberArk Password Vault Username (for On-Premise)/CyberArk Password Vault Client ID (for SaaS)

  9. Optional

    1. Access: What other teams can also use the resource

  10. Click "Save resource"

  11. Click "+ New Resource"

  12. Input the values for the CyberArk Password Vault resource

    1. Name: CyberArk Password Vault Account ID

    2. Description: Optional

    3. Builder: Your CyberArk Password Vault Account ID

  13. Optional

    1. Access: What other teams can also use the resource

  14. Click "Save resource"

Credentials

Step 1

To generate a CyberArk Password Vault bearer token, follow the steps outlined for the appropriate scenario.

Scenario 1: Tines Cloud Hosted and SaaS CyberArk Password Vault

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/oauth2/platformtoken

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section:

      { 
      "client_id": "<<RESOURCE.cyberark_password_client_id>>", 
      "client_secret": "<<secret>>", 
      "grant_type": "client_credentials", 
      "concurrentSession": "True" 
      }

    7. Secret: CyberArk Password Vault Client Secret

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_token.body

  7. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  8. Click "Save"

Scenario 2: Tines Cloud hosted and On-Premise CyberArk Password Vault

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/passwordvault/api/Auth/cyberark/logon

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section:

      {
        "username": "<<RESOURCE.cyberark_password_vault_username>>",
        "password": "<<secret>>",
        "concurrentSession": "true"
      }

    7. Secret: CyberArk Password Vault Password

    8. Click "+ Add option" and add "Use tunnel"

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_token.body

  7. TTL: 30

  8. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  9. Click "Save"

Scenario 3: Tines Self Hosted and On-Premise CyberArk Password Vault

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/passwordvault/api/Auth/cyberark/logon

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section:

      {
        "username": "<<RESOURCE.cyberark_password_vault_username>>",
        "password": "<<secret>>",
        "concurrentSession": "true"
      }

    7. Secret: CyberArk Password Vault Password

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_token.body

  7. TTL: 30

  8. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  9. Click "Save"

Step 2

Now that the CyberArk Password Vault bearer token is stored in a credential, the token can be leveraged to make a subsequent call to retrieve specific service/application credentials.

For Service/Application token (SaaS):

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault <Service> Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>.priviledecloud.cyberark.cloud/PasswordVault/API/Accounts/<<RESOURCE.cyberark_password_vault_account_id>>/Password/Retrieve

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section and modify as required:

      {
        "reason": "EnterReason"
      }

    7. Headers: "Authorization": "<<CREDENTIAL.cyberark_password_vault_token>>"

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_<service>_token.body where <service> is the service you are retrieving the credentials for

  7. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  8. Click "Save"

For Service/Application token (On-Premise):

  1. Navigate to the team that will be using the API and click "Credentials"

  2. Click "+ New Credential" and select "HTTP request"

  3. Input the values for the CyberArk Password Vault credential

    1. Name: CyberArk Password Vault <Service> Token

    2. Description: Optional

    3. URL: https://<<RESOURCE.cyberark_password_vault_url>>/passwordvault/api/accounts/<<RESOURCE.cyberark_password_vault_account_id>>/password/retrieve

    4. Content Type: JSON

    5. Method: post

    6. Payload: Copy the below object and paste into the "Plain code" section and modify as required:

      {
        "reason": "api testing",
        "TicketingSystem": "SIR12342134",
        "TicketId": "CHG0000123",
        "ActionType": "show",
        "isUse": false,
        "Machine": "tines"
      }

    7. Headers: "Authorization": "<<CREDENTIAL.cyberark_password_vault_token>>"

    8. (Optional) Click "+ Add option" and add "Use tunnel"

  4. Click "Save"

  5. Click "Run request" and make sure it returns a successful response.

  6. Location of token from response: cyberark_password_vault_<service>_token.body where <service> is the service you are retrieving the credentials for

  7. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  8. Click "Save"

Your credentials should look like the following:

Step 1

For Scenario 1:

For Scenario 2:

For Scenario 3:

Step 2

For Service/Application token (SaaS):

For Service/Application token (On-Premise):

More on creating credentials in Tines here.

You can also find a selection of CyberArk Password Vault stories in the story library.

Related Articles
JAMF Authentication Guide
Aqua Security Authentication Guide
ThreatQ Authentication Guide
Zendesk Authentication Guide
Did this answer your question?