Skip to content

UAP database policy CLI workflow

Here is an example workflow for adding a UAP DB policy alongside all needed assets via the CLI:

  1. Install Ark SDK: pip3 install ark-sdk-python
  2. Create a profile:
    • Interactively: 
      ark configure
    • Silently: 
      ark configure --silent --work-with-isp --isp-username myuser
  3. Log in to Ark: 
    ark login --silent --isp-secret <my-ark-secret>
  4. Add SIA DB User Secret 
    1
    ark exec sia secrets db add-secret --secret-name mysecret --secret-type username_password --username user --password mypass
  5. Add SIA Database 
    1
2
3
4
5
    ark exec sia workspaces db add-database \
  --name mydomain.com \
  --provider-engine postgres-sh \
  --read-write-endpoint myendpoint.mydomain.com \
  --secret-id <SECRET_ID_FROM_PREVIOUS_STEP>

  6. Create UAP DB Policy using a defined json file 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
    {
  "metadata": {
    "name": "Cool Policy",
    "description": "Cool Policy Description",
    "status": { "status": "ACTIVE" },
    "timeFrame": { "fromTime": null, "toTime": null },
    "policyEntitlement": {
      "targetCategory": "DB",
      "locationType": "FQDN_IP",
      "policyType": "RECURRING"
    },
    "policyTags": ["cool_tag", "cool_tag2"],
    "timeZone": "Asia/Jerusalem"
  },
  "principals": [
    {
      "id": "principal_id",
      "name": "tester@cyberark.cloud",
      "sourceDirectoryName": "CyberArk Cloud Directory",
      "sourceDirectoryId": "source_directory_id",
      "type": "USER"
    }
  ],
  "conditions": {
    "accessWindow": {
      "daysOfTheWeek": [0, 1, 2, 3, 4, 5, 6],
      "fromHour": "05:00",
      "toHour": "23:59"
    },
    "maxSessionDuration": 2,
    "idleTime": 1
  },
  "targets": {
    "FQDN_IP": {
      "instances": [
        {
          "instanceName": "Mongo-atlas_ephemeral_user",
          "instanceType": "Mongo",
          "instanceId": "1234",
          "authenticationMethod": "MONGO_AUTH",
          "mongoAuthProfile": {
            "globalBuiltinRoles": ["readWriteAnyDatabase"],
            "databaseBuiltinRoles": {
              "mydb1": ["userAdmin"],
              "mydb2": ["dbAdmin"]
            },
            "databaseCustomRoles": {
              "mydb1": ["myCoolRole"]
            }
          }
        }
      ]
    }
  }
}


    1
    ark exec --request-file /path/to/policy-request.json uap db add-policy