Skip to content

UAP VM policy SDK workflow

Here is an example workflow for adding a UAP VM policy assets via the SDK:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
package main

import (
    "fmt"
    "github.com/cyberark/ark-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/ark-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/ark-sdk-golang/pkg/models/common"
    commonuapmodels "github.com/cyberark/ark-sdk-golang/pkg/services/uap/common/models"
    uapsia "github.com/cyberark/ark-sdk-golang/pkg/services/uap/sia/common/models"
    uapvmmodels "github.com/cyberark/ark-sdk-golang/pkg/services/uap/sia/vm/models"
    "github.com/cyberark/ark-sdk-golang/pkg/services/uap"
    "os"
)

func main() {
    // Perform authentication using ArkISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewArkISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.ArkAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityArkAuthMethodSettings{},
        },
        &authmodels.ArkSecret{
            Secret: os.Getenv("ARK_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    uapAPI, err := uap.NewArkUAPAPI(ispAuth.(*auth.ArkISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := uapAPI.Vm().AddPolicy(
        &uapvmmodels.ArkUAPSIAVMAccessPolicy{
            ArkUAPSIACommonAccessPolicy: uapsia.ArkUAPSIACommonAccessPolicy{
                ArkUAPCommonAccessPolicy: commonuapmodels.ArkUAPCommonAccessPolicy{
                    Metadata: commonuapmodels.ArkUAPMetadata{
                        Name:        "Example VM Access Policy",
                        Description: "This is an example of a VM access policy for SIA.",
                        Status: commonuapmodels.ArkUAPPolicyStatus{
                            Status: commonuapmodels.StatusTypeActive,
                        },
                        PolicyEntitlement: commonuapmodels.ArkUAPPolicyEntitlement{
                            TargetCategory: commonmodels.CategoryTypeVM,
                            LocationType:   commonmodels.WorkspaceTypeFQDNIP,
                            PolicyType:     commonuapmodels.PolicyTypeRecurring,
                        },
                        PolicyTags: []string{},
                    },
                    Principals: []commonuapmodels.ArkUAPPrincipal{
                        {
                            Type:                commonuapmodels.PrincipalTypeUser,
                            ID:                  "user-id",
                            Name:                "user@cyberark.cloud.12345",
                            SourceDirectoryName: "CyberArk",
                            SourceDirectoryID:   "12345",
                        },
                    },
                },
                Conditions: uapsia.ArkUAPSIACommonConditions{
                    ArkUAPConditions: commonuapmodels.ArkUAPConditions{
                        AccessWindow: commonuapmodels.ArkUAPTimeCondition{
                            DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                            FromHour:      "09:00",
                            ToHour:        "17:00",
                        },
                        MaxSessionDuration: 4,
                    },
                    IdleTime: 10,
                },
            },
            Targets: uapvmmodels.ArkUAPSIAVMPlatformTargets{
                FQDNIPResource: &uapvmmodels.ArkUAPSIAVMFQDNIPResource{
                    FQDNRules: []uapvmmodels.ArkUAPSIAVMFQDNRule{
                        {
                            Operator:            uapvmmodels.VMFQDNOperatorExactly,
                            ComputernamePattern: "example-vm",
                            Domain:              "mydomain.com",
                        },
                    },
                },
            },
            Behavior: uapvmmodels.ArkUAPSSIAVMBehavior{
                SSHProfile: &uapvmmodels.ArkUAPSSIAVMSSHProfile{
                    Username: "root",
                },
                RDPProfile: &uapvmmodels.ArkUAPSSIAVMRDPProfile{
                    LocalEphemeralUser: &uapvmmodels.ArkUAPSSIAVMEphemeralUser{
                        AssignGroups: []string{"Remote Desktop Users"},
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

In the script above, the following actions are defined:

  • The admin user is logged in to perform actions on the tenant
  • we then configure UAP VM policy