Retrieve Password from CyberArk using powershell

  • Hi, I am new to Powershell script and i have to create a power shell script to get password for SQL service account

    from CyberArk.. Could you please suggest how to do that ?

  • I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Dear Lord... I'm a production DBA. Please grant me patience because, if you grant me strength, I'm gonna need bail money to go with it.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • there is documentation for it - https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CP%20and%20ASCP/Net-Application-Password-SDK.htm?tocpath=Developer%7CCredential%20Provider%7CApplication%20Password%20SDK%7C.NET%20Application%20Password%20SDK%7C_____0

    as in powershell you can use any .net dll's its just a question of setting up a script to do it.

    I may be able to provide the basis for one next few days.

    but main issue here - except for a few rare exceptions a SQL Server instance should either run under a local account (for which you don't have a password at all) or under a MSA/GMSA - for which again you don't have passwords you can use/manage.

    so if your setup is using a "normal" user as a service account you should be looking into replacing it instead of trying to automate getting and updating its password

  • Jeff Moden wrote:

    I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.

    Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).

    it can even rotate sql server credentials without intervention from a "human".

    for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.

  • frederico_fonseca wrote:

    Jeff Moden wrote:

    I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.

    Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).

    it can even rotate sql server credentials without intervention from a "human".

    for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.

    Understood.  My issue isn't so much with CyberArk... my issue would be with how someone uses it in Power Shell.  The OP said he had to write some PoSh to "get password for SQL service account".

    My first concern is why does anyone need the password for the SQL Service Account?  IMHO, they simply don't need it.  They should have an AD login to use.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Dear Lord... I'm a production DBA. Please grant me patience because, if you grant me strength, I'm gonna need bail money to go with it.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Jeff Moden wrote:

    frederico_fonseca wrote:

    Jeff Moden wrote:

    I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.

    Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).

    it can even rotate sql server credentials without intervention from a "human".

    for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.

    Understood.  My issue isn't so much with CyberArk... my issue would be with how someone uses it in Power Shell.  The OP said he had to write some PoSh to "get password for SQL service account".

    My first concern is why does anyone need the password for the SQL Service Account?  IMHO, they simply don't need it.  They should have an AD login to use.

    We used CyberArk to store passwords at my former employer. We had a requirement to change the service ID passwords once a year, and had PowerShell scripts that would retrieve the old password from CyberArk, write the new password there, then change the password in AD. The PowerShell scripts ran under the context of another service ID that had permission to run the scripts. The old password was retrieved in case something failed during the updates.

    CyberArk has all sorts of options for storing and retrieving passwords based on who you are, your permissions and such. One of the options is to require approval from some set of approvers before a password is  released. It also handles split passwords, will login to an RDP session without the user seeing a password at all. If you have a need for that sort of application, CyberArk works well.

     

  • Ross McMicken wrote:

    Jeff Moden wrote:

    frederico_fonseca wrote:

    Jeff Moden wrote:

    I don't know about CyberArk but I would hope that getting a Password for an SQL Service Account couldn't actually be done in such an easy fashion.

    Cyberark if used properly would be more secure than having a DBA retrieving and resetting a SQL instance password (or any other password for that matter).

    it can even rotate sql server credentials without intervention from a "human".

    for highly privileged accounts (or even not so high) its possible to "force" the retrieval of such passwords only on a particular computer, with a specific IP, when executed by a certain application (using hash fingerprints of the application), by a certain user, and with the application on a certain folder.

    Understood.  My issue isn't so much with CyberArk... my issue would be with how someone uses it in Power Shell.  The OP said he had to write some PoSh to "get password for SQL service account".

    My first concern is why does anyone need the password for the SQL Service Account?  IMHO, they simply don't need it.  They should have an AD login to use.

    We used CyberArk to store passwords at my former employer. We had a requirement to change the service ID passwords once a year, and had PowerShell scripts that would retrieve the old password from CyberArk, write the new password there, then change the password in AD. The PowerShell scripts ran under the context of another service ID that had permission to run the scripts. The old password was retrieved in case something failed during the updates.

    CyberArk has all sorts of options for storing and retrieving passwords based on who you are, your permissions and such. One of the options is to require approval from some set of approvers before a password is  released. It also handles split passwords, will login to an RDP session without the user seeing a password at all. If you have a need for that sort of application, CyberArk works well.

    Alright... that sounds a safer than what I was envisioning.  Thank you for the information.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Dear Lord... I'm a production DBA. Please grant me patience because, if you grant me strength, I'm gonna need bail money to go with it.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply