CyberArk's Official SDK and CLI for different services operations
- Extensive and Interactive CLI
- Different Authenticators
- Identity Authentication Methods
- MFA Support for Identity
- Identity Security Platform
- Ready to use SDK in Golang
- Fully Interactive CLI comprising of 3 main actions
- Configure
- Login
- Exec
- Services API
- SIA SSO Service
- SIA K8S Service
- SIA VM Secrets Service
- SIA DB Secrets Service
- SIA Target Sets Workspace Service
- SIA Access Service
- SIA SSH CA Key Service
- Connector Manager Service
- PCloud Accounts Service
- PCloud Safes Service
- Identity Directories Service
- Identity Roles Service
- Identity Users Service
- Secrets Hub Secret Stores Service
- Secrets Hub Secrets Service
- Secrets Hub Sync Policies Service
- Secrets Hub Scans Service
- Secrets Hub Service Info Service
- Secrets Hub Configuration Service
- Secrets Hub Filters Service
- Session Monitoring Service
- Unified Access Policies Service
- SCA - Secure Cloud Access
- DB - Databases
- VM - Virtual Machines
- Filesystem Inputs and Outputs for the CLI
- Silent and Verbose logging
- Profile Management and Authentication Caching
One can install the SDK via the following command:
go install github.com/cyberark/ark-sdk-golang/cmd/ark@latestBoth the SDK and the CLI works with profiles
The profiles can be configured upon need and be used for the consecutive actions
The CLI has the following basic commands:
- configure - Configures profiles and their respective authentication methods
- login - Logs into the profile authentication methods
- exec - Executes different commands based on the supported services
- profiles - Manage multiple profiles on the machine
- cache - Manage the cache of the authentication methods
The configure command is used to create a profile to work on
The profile consists of infomration regarding which authentication methods to use and what are their method settings, along with other related information such as MFA
How to run:
ark configureThe profiles are saved to ~/.ark_profiles
No arguments are required, and interactive questions will be asked
If you wish to only supply arguments in a silent fashion, --silent can be added along with the arugments
Usage:
Configure the CLI
Usage:
ark configure [flags]
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
-h, --help help for configure
--isp-auth-method string Authentication method for Identity Security Platform (default "default")
--isp-identity-application string Identity Application
--isp-identity-authorization-application string Service User Authorization Application
--isp-identity-mfa-interactive Allow Interactive MFA
--isp-identity-mfa-method string MFA Method to use by default [pf, sms, email, otp]
--isp-identity-tenant-subdomain string Identity Tenant Subdomain
--isp-identity-url string Identity Url
--isp-username string Username
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--profile-description string Profile Description
--profile-name string The name of the profile to use
--raw Whether to raw output
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose log
--work-with-isp Whether to work with Identity Security Platform servicesThe login command is used to login to the authentication methods configured for the profile
You will be asked to write a password for each respective authentication method that supports password, and alongside that, any needed MFA prompt
Once the login is done, the access tokens are stored on the computer keystore for their lifetime
Once they are expired, a consecutive login will be required
How to run:
ark loginUsage:
Login to the system
Usage:
ark login [flags]
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
--force Whether to force login even though token has not expired yet
-h, --help help for login
--isp-secret string Secret to authenticate with to Identity Security Platform
--isp-username string Username to authenticate with to Identity Security Platform
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--no-shared-secrets Do not share secrets between different authenticators with the same username
--profile-name string Profile name to load (default "ark")
--raw Whether to raw output
--refresh-auth If a cache exists, will also try to refresh it
--show-tokens Print out tokens as well if not silent
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose logNotes:
- You may disable certificate validation for login to different authenticators using the --disable-certificate-verification or supply a certificate to be used, not recommended to disable
The exec command is used to execute various commands based on supported services for the fitting logged in authenticators
The following services and commands are supported:
- sia - Secure Infrastructure Access Services
- sso - SIA SSO Management
- k8s - SIA K8S Management
- workspaces - SIA Workspaces Management
- target-sets - SIA VM Target Sets Management
- secrets - SIA Secrets Management
- vm - SIA VM Secrets Management
- access - SIA Access Management
- cmgr - Connector Manager
- pcloud - PCloud Service
- accounts - PCloud Accounts Management
- safes - PCloud Safes Management
- identity - Identity Service
- directories - Identity Directories Management
- roles - Identity Roles Management
- users - Identity Users Management
- uap - Unified Access Policies Services
- sca - secure cloud access policies management
- db - databases access policies management
- vm - virtual machines access policies management
Any command has its own subcommands, with respective arguments
For example, generating a short lived password for DB
ark exec sia sso short-lived-passwordOr a short lived password for RDP
ark exec sia sso short-lived-password --service DPA-RDPAdd SIA VM Target Set
ark exec sia workspaces target-sets add-target-set --name mydomain.com --type DomainAdd SIA VM Secret
ark exec sia secrets vm add-secret --secret-type ProvisionerUser --provisioner-username=myuser --provisioner-password=mypasswordList connector pools
ark exec exec cmgr list-poolsGet connector installation script
ark exec sia access connector-setup-script --connector-type ON-PREMISE --connector-os windows --connector-pool-id 588741d5-e059-479d-b4c4-3d821a87f012Create a PCloud Safe
ark exec pcloud safes add-safe --safe-name=safeCreate a PCloud Account
ark exec pcloud accounts add-account --name account --safe-name safe --platform-id='UnixSSH' --username root --address 1.2.3.4 --secret-type=password --secret mypassRetrieve a PCloud Account Credentials
ark exec pcloud accounts get-account-credentials --account-id 11_1Create an Identity User
ark exec identity users create-user --roles "DpaAdmin" --username "myuser"Create an Identity Role
ark exec identity roles create-role --role-name myroleList all directories identities
ark exec identity directories list-directories-entitiesAdd SIA Database Secret
ark exec sia secrets db add-secret --secret-name mysecret --secret-type username_password --username user --password mypassDelete SIA Database Secret
ark exec sia secrets db delete-secret --secret-name mysecretAdd SIA database
ark exec sia workspaces db add-database --name mydatabase --provider-engine aurora-mysql --read-write-endpoint myrds.comDelete SIA database
ark exec sia workspaces db delete-database --id databaseidGet Secrets Hub Configuration
ark exec sechub configuration get-configurationSet Secrets Hub Configuration
ark exec sechub configuration set-configuration --sync-settings 360Get Secrets Hub Filters
ark exec sechub filters get-filters --store-id store-e488dd22-a59c-418c-bbe3-3f061dd9b667Add Secrets Hub Filter
ark exec sechub filters add-filter --type "PAM_SAFE" --store-id store-e488dd22-a59c-418c-bbe3-3f061dd9b667 --data-safe-name "example-safe"Delete Secrets Hub Filter
ark exec sechub filters delete-filter --filter-id filter-7f3d187d-7439-407f-b968-ec27650be692 --store-id store-e488dd22-a59c-418c-bbe3-3f061dd9b667Get Secrets Hub Scans
ark exec sechub scans get-scans Trigger Secrets Hub Scan
ark exec sechub scans trigger-scan --id default --secret-stores-ids store-e488dd22-a59c-418c-bbe3-3f061dd9b667 type secret-storeCreate Secrets Hub Secret Store
ark exec sechub secret-stores create-secret-store --type AWS_ASM --description sdk-testing --name "SDK Testing" --state ENABLED --data-aws-account-alias ALIAS-NAME-EXAMPLE --data-aws-region-id us-east-1 --data-aws-account-id 123456789123 --data-aws-rolename Secrets-Hub-IAM-Role-Name-Created-For-Secrets-HubRetrieve Secrets Hub Secret Store
ark exec sechub secret-stores get-secret-store --secret-store-id store-e488dd22-a59c-418c-bbe3-3f061dd9b667Update Secrets Hub Secret Store
ark exec sechub secret-stores update-secret-store --secret-store-id store-7f3d187d-7439-407f-b968-ec27650be692 --name "New Name" --description "Updated Description" --data-aws-account-alias "Test2"Delete Secrets Hub Secret Store
ark exec sechub secret-stores delete-secret-store --secret-store-id store-fd11bc7c-22d0-4d9b-ac1b-f8458161935fGet Secrets Hub Secrets
ark exec sechub secrets get-secretsGet Secrets Hub Secrets using a filter
ark exec sechub secrets get-secrets-by --limit 5 --projection EXTEND --filter "name CONTAINS EXAMPLE"Get Secrets Hub Service Information
ark exec sechub service-info get-service-infoGet Secrets Hub Sync Policies
ark exec sechub sync-policies get-sync-policiesGet Secrets Hub Sync Policy
ark exec sechub sync-policies get-sync-policy --policy-id policy-7f3d187d-7439-407f-b968-ec27650be692 --projection EXTENDCreate Secrets Hub Sync Policy
ark exec sechub sync-policies create-sync-policy --name "New Sync Policy" --description "New Sync Policy Description" --filter-type PAM_SAFE --filter-data-safe-name EXAMPLE-SAFE-NAME --source-id store-e488dd22-a59c-418c-bbe3-3f061dd12367 --target-id store-e488dd22-a59c-418c-bbe3-3f061dd9b667Delete Secrets Hub Sync Policy
ark exec sechub sync-policies delete-sync-policy --policy-id policy-7f3d187d-7439-407f-b968-ec27650be692List Sessions
ark exec sm list-sessionsCount Sessions
ark exec sm count-sessionsList Sessions By Filter
ark exec sm list-sessions-by --search "duration LE 01:00:00"Count Sessions By Filter
ark exec sm count-sessions-by --search "command STARTSWITH ls"Get Session
ark exec sm get-session --session-id my-idList Session Activities
ark exec sm list-session-activities --session-id my-idCount Session Activities
ark exec sm count-session-activities --session-id my-idList Session Activities By Filter
ark exec sm list-session-activities-by --session-id my-id --command-contains "ls"Count Session Activities By Filter
ark exec sm count-sessions-by --session-id my-id --command-contains "chmod"Get Sessions Statistics
ark exec sm get-sessions-statsList all UAP policies
ark exec uap list-policiesDelete UAP DB Policy
ark exec uap db delete-policy --policy-id my-policy-idList DB Policies from UAP
ark exec uap db list-policiesGet DB Policy from UAP
ark exec uap db policy --policy-id my-policy-idAdd UAP DB Policy
ark exec uap db add-policy --request-file /path/to/policy-request.jsonList UAP SCA Policies
ark exec uap sca list-policiesGet UAP SCA Policy
ark exec uap sca policy --policy-id my-policy-idAdd UAP SCA Policy
ark exec uap sca add-policy --request-file /path/to/policy-request.jsonDelete UAP SCA Policy
ark exec uap sca delete-policy --policy-id my-policy-idList VM Policies from UAP
ark exec uap vm list-policiesGet VM Policy from UAP
ark exec uap vm policy --policy-id my-policy-idDelete VM Policy from UAP
ark exec uap vm delete-policy --policy-id my-policy-idConnect to MySQL ZSP with the mysql cli via Ark CLI
ark exec sia db mysql --target-address myaddress.comConnect to PostgreSQL Vaulted with the psql cli via Ark CLI
ark exec sia db psql --target-address myaddress.com --target-user myuserYou can view all of the commands via the --help for each respective exec action
Notes:
- You may disable certificate validation for login to different authenticators using the --disable-certificate-verification or supply a certificate to be used, not recommended to disable
Usafe Env Vars:
- ARK_PROFILE - Sets the profile to be used across the CLI
- ARK_DISABLE_CERTIFICATE_VERIFICATION - Disables certificate verification on REST API's
As one may have multiple environments to manage, this would also imply that multiple profiles are required, either for multiple users in the same environment or multiple tenants
Therefore, the profiles command manages those profiles as a convenice set of methods
Using the profiles as simply running commands under:
ark profilesUsage:
Manage profiles
Usage:
ark profiles [command]
Available Commands:
add Add a profile from a given path
clear Clear all profiles
clone Clone a profile
delete Delete a specific profile
edit Edit a profile interactively
list List all profiles
show Show a profile
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
-h, --help help for profiles
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--raw Whether to raw output
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose log
Use "ark profiles [command] --help" for more information about a command.Use the cache command to manage the Ark data cached on your machine. Currently, you can only clear the filesystem cache (not data cached in the OS's keystore).
Using the cache as simply running commands under:
ark cacheUsage:
Manage cache
Usage:
ark cache [command]
Available Commands:
clear Clears all profiles cache
Flags:
--allow-output Allow stdout / stderr even when silent and not interactive
--disable-cert-verification Disables certificate verification on HTTPS calls, unsafe!
-h, --help help for cache
--log-level string Log level to use while verbose (default "INFO")
--logger-style string Which verbose logger style to use (default "default")
--raw Whether to raw output
--silent Silent execution, no interactiveness
--trusted-cert string Certificate to use for HTTPS calls
--verbose Whether to verbose log
Use "ark cache [command] --help" for more information about a command.As well as using the CLI, one can also develop under the ark sdk using its API / class driven design
The same idea as the CLI applies here as well
Let's say we want to generate a short lived password from the code
To do so, we can use the following script:
package main
import (
"fmt"
"github.com/cyberark/ark-sdk-golang/pkg/auth"
authmodels "github.com/cyberark/ark-sdk-golang/pkg/models/auth"
ssomodels "github.com/cyberark/ark-sdk-golang/pkg/services/sia/sso/models"
"github.com/cyberark/ark-sdk-golang/pkg/services/sia/sso"
"os"
)
func main() {
// Perform authentication using ArkISPAuth to the platform
// First, create an ISP authentication class
// Afterwards, perform the authentication
ispAuth := auth.NewArkISPAuth(false)
_, err := ispAuth.Authenticate(
nil,
&authmodels.ArkAuthProfile{
Username: "user@cyberark.cloud.12345",
AuthMethod: authmodels.Identity,
AuthMethodSettings: &authmodels.IdentityArkAuthMethodSettings{},
},
&authmodels.ArkSecret{
Secret: os.Getenv("ARK_SECRET"),
},
false,
false,
)
if err != nil {
panic(err)
}
// Create an SSO service from the authenticator above
ssoService, err := sso.NewArkSIASSOService(ispAuth)
if err != nil {
panic(err)
}
// Generate a short-lived password
ssoPassword, err := ssoService.ShortLivedPassword(
&ssomodels.ArkSIASSOGetShortLivedPassword{},
)
if err != nil {
panic(err)
}
fmt.Printf("%s\n", ssoPassword)
}More examples can be found in the examples folder
This project is licensed under Apache License 2.0 - see LICENSE for more details
Copyright (c) 2025 CyberArk Software Ltd. All rights reserved.