Obtaining passwords from password vaults

Define parameters in the job definition to retrieve passwords from password vaults.

In addition to resolving passwords locally on agents, as described in Specifying local variables and passwords in the job definitions, you can specify a string or a query within the job definition to retrieve the password from a password vault. A dedicated dynamic agent, specified in the string or query, interacts with the password vault and returns the password required to run the job. For more information about configuring agents to work with password vaults, see Configuring the agent to work with a password vault.

When creating the job definition, add the following syntax in the <jsdl:password>...</jsdl:password> section:

${vault:vault_wks#vault-profile-name:query-for-username}

where

vault_wks

The workstation in charge of interacting with the password vault. Supported workstation types are:

dynamic agents
pools
dynamic pools
z-centric agents (if configured to communicate with a dynamic domain manager)

vault-profile-name

The name of the profile to be applied when interacting with the password vault. This parameter is optional. For more information, see Configuring the agent to work with a password vault.

query-for-username

The name of the user whose password you want to retrieve. You can also specify a query in the format supported by the password vault if you have complex requirements for password management. For more information, see Query format. This query format applies to CyberArk. If you plan to use a different password vault, you have to use its specific syntax. If you specify a query, it overrides any other settings defined in the string.

Note: Make sure you write the query in a way that it retrieves only a single, unique password. If the query results in multiple passwords, the job fails with an error returned by the CyberArk server.

See also the examples and queries detailed in Examples of job definitions with password retrieval from CyberArk.

Query format

In addition to specifying the password request by filling in the fields described above, you can also use the syntax described in this section to create complex queries.

The syntax is based on combinations of the following parameters available in the AppDescs and Query sections of the CyberArk.ini file, as follows:

[CyberArk.AppDescs]

AppID: The unique ID of the application issuing the password request. This parameter is required.

[CyberArk.Query]

Safe: The name of the Safe where the password is stored.
Folder: The name of the folder where the password is stored.
Object: The name of the password object to retrieve.
Username: Defines search criteria according to the UserName account property.
Address: Defines search criteria according to the Address account property.
PolicyID: Defines the format that will be used in the setPolicyID method.
Database: Defines search criteria according to the Database account property.

<section_name>::<parameter_name>=parameter_value;<section_name>::<parameter_name>=parameter_value...

Consider the following example:

AppDescs::AppID=TestApplicationCert;Query::Safe=TestSafe;Query::Username=ITAuser;…;Query::PolicyID=UnixSSH

Note: Make sure you write the query in a way that it retrieves only a single, unique password. If the query results in multiple passwords, the job fails with an error returned by the CyberArk server.

For a full list of the parameters available in the CyberArk.ini file, see Defining parameters in the CyberArk.ini file.

See also the examples and queries detailed in Examples of job definitions with password retrieval from CyberArk.