Skip to content

Cloud Access policy SDK workflow

Here is an example workflow for adding a Cloud Access policy assets via the SDK:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/common"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/policy"
    policycloudaccessmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/cloudaccess/models"
    commonpolicymodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/common/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    policyAPI, err := policy.NewIdsecPolicyAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := policyAPI.CloudAccess().CreatePolicy(
        &policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleAccessPolicy{
            IdsecPolicyCommonAccessPolicy: commonpolicymodels.IdsecPolicyCommonAccessPolicy{
                Metadata: commonpolicymodels.IdsecPolicyMetadata{
                    Name:        "Example SCA Access Policy",
                    Description: "This is an example of a SCA access policy.",
                    Status: commonpolicymodels.IdsecPolicyStatus{
                        Status: commonpolicymodels.StatusTypeValidating,
                    },
                    PolicyEntitlement: commonpolicymodels.IdsecPolicyEntitlement{
                        TargetCategory: commonmodels.CategoryTypeCloudConsole,
                        LocationType:   commonmodels.WorkspaceTypeAWS,
                        PolicyType:     commonpolicymodels.PolicyTypeRecurring,
                    },
                    PolicyTags: []string{},
                },
                Principals: []commonpolicymodels.IdsecPolicyPrincipal{
                    {
                        Type:                commonpolicymodels.PrincipalTypeUser,
                        ID:                  "user-id",
                        Name:                "user@cyberark.cloud.12345",
                        SourceDirectoryName: "CyberArk",
                        SourceDirectoryID:   "12345",
                    },
                },
            },
            Conditions: policycloudaccessmodels.IdsecPolicyCloudAccessConditions{
                IdsecPolicyConditions: commonpolicymodels.IdsecPolicyConditions{
                    AccessWindow: commonpolicymodels.IdsecPolicyTimeCondition{
                        DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                        FromHour:      "09:00:00",
                        ToHour:        "17:00:00",
                    },
                    MaxSessionDuration: 4,
                },
            },
            Targets: policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleTarget{
                AwsAccountTargets: []policycloudaccessmodels.IdsecPolicyCloudAccessAWSAccountTarget{
                    {
                        IdsecPolicyCloudAccessTarget: policycloudaccessmodels.IdsecPolicyCloudAccessTarget{
                            RoleID:        "arn:aws:iam::123456789012:role/ExampleRole",
                            RoleName:      "ExampleRole",
                            WorkspaceID:   "123456789012",
                            WorkspaceName: "ExampleWorkspace",
                        },
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

In the script above, the following actions are defined:

  • The admin user is logged in to perform actions on the tenant
  • we then configure Cloud Access policy