Skip to content

SDK Examples

Using the SDK is similar to using the CLI.

Short lived password example

In this example we authenticate to our ISP tenant and create a short-lived password:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
package main

import (
    "fmt"
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    ssomodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/sso/models"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/sso"
    "os"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // Create an SSO service from the authenticator above
    ssoService, err := sso.NewIdsecSIASSOService(ispAuth)
    if err != nil {
        panic(err)
    }

    // Generate a short-lived password
    ssoPassword, err := ssoService.ShortLivedPassword(
        &ssomodels.IdsecSIASSOGetShortLivedPassword{},
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("%s\n", ssoPassword)

    // Generate a short-lived password for RDP
    ssoPassword, err = ssoService.ShortLivedPassword(
        &ssomodels.IdsecSIASSOGetShortLivedPassword{
            Service: "DPA-RDP",
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("%s\n", ssoPassword)
}

Target set example

In this example we authenticate to our ISP tenant and create a target set with a VM secret:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package main

import (
    "fmt"
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    vmsecretsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/secretsvm/models"
    targetsetsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/workspacestargetsets/models"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/sia"
    "os"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // Add a VM secret
    siaAPI, err := sia.NewIdsecSIAAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    secret, err := siaAPI.VMSecrets().AddSecret(
        &vmsecretsmodels.IdsecSIAVMAddSecret{
            SecretType:          "ProvisionerUser",
            ProvisionerUsername: "CoolUser",
            ProvisionerPassword: "CoolPassword",
        },
    )
    if err != nil {
        panic(err)
    }
    // Add VM target set
    targetSet, err := siaAPI.WorkspacesTargetSets().AddTargetSet(
        &targetsetsmodels.IdsecSIAAddTargetSet{
            Name:       "mydomain.com",
            Type:       "Domain",
            SecretID:   secret.SecretID,
            SecretType: secret.SecretType,
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Target set %s created\n", targetSet.Name)
}

SIA settings example

In this example we authenticate to our ISP tenant and get and update SIA settings:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package main

import (
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/common"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/sia"
    settingsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/settings/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }
    siaAPI, err := sia.NewIdsecSIAAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }

    // Load all settings
    settings, err := siaAPI.Settings().ListSettings()
    if err != nil {
        panic(err)
    }
    settings.AdbMfaCaching.IsMfaCachingEnabled = common.Ptr(false)

    // Update settings
    _, err = siaAPI.Settings().SetSettings(settings)
    if err != nil {
        panic(err)
    }

    // Set specific setting partially
    adbMfa := &settingsmodels.IdsecSIASettingsAdbMfaCaching{
        KeyExpirationTimeSec: common.Ptr(7200),
        ClientIPEnforced:     common.Ptr(false),
    }
    _, err = siaAPI.Settings().SetAdbMfaCaching(adbMfa)
    if err != nil {
        panic(err)
    }
}

CMGR example

In this example we authenticate to our ISP tenant and create a network, pool, and identifier:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/cmgr"
    networksmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/cmgr/networks/models"
    identifiersmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/cmgr/poolidentifiers/models"
    poolsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/cmgr/pools/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // Configure a network, pool and identifiers using the CMGR API
    cmgrAPI, err := cmgr.NewIdsecCmgrAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    network, err := cmgrAPI.Networks().Create(&networksmodels.IdsecCmgrAddNetwork{Name: "tlv"})
    if err != nil {
        panic(err)
    }
    pool, err := cmgrAPI.Pools().Create(&poolsmodels.IdsecCmgrAddPool{Name: "tlvpool", AssignedNetworkIDs: []string{network.NetworkID}})
    if err != nil {
        panic(err)
    }
    identifier, err := cmgrAPI.PoolIdentifiers().Create(&identifiersmodels.IdsecCmgrAddPoolSingleIdentifier{PoolID: pool.PoolID, Type: identifiersmodels.GeneralFQDN, Value: "mymachine.tlv.com"})
    if err != nil {
        panic(err)
    }
    fmt.Printf("Added pool: %s\n", pool.PoolID)
    fmt.Printf("Added network: %s\n", network.NetworkID)
    fmt.Printf("Added identifier: %s\n", identifier.IdentifierID)
}

List pCloud Accounts

In this example we authenticate to our ISP tenant and list pCloud accounts:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package main

import (
    "fmt"
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/pcloud"
    "os"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // List all of the accounts
    pcloudAPI, err := pcloud.NewIdsecPCloudAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    accountsChan, err := pcloudAPI.Accounts().List()
    if err != nil {
        panic(err)
    }
    for accountsPage := range accountsChan {
        for account := range accountsPage.Items {
            fmt.Printf("Account: %v\n", account)
        }
    }
}

List identities

In this example we authenticate to our ISP tenant and list all of the accounts:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
package main

import (
    "fmt"
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    directoriesmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/identity/directories/models"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/identity"
    "os"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // List all identities
    identityAPI, err := identity.NewIdsecIdentityAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    identitiesChan, err := identityAPI.Directories().ListEntities(&directoriesmodels.IdsecIdentityListDirectoriesEntities{})
    if err != nil {
        panic(err)
    }
    for loadedIdentity := range identitiesChan {
        fmt.Printf("Identity: %v\n", loadedIdentity)
    }
}

Session Monitoring

In this example we authenticate to our ISP tenant and get all the active sessions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/sm/sessions"
    sessionsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sm/sessions/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    sessionsService, err := sessions.NewIdsecSMSessionsService(ispAuth)
    if err != nil {
        panic(err)
    }
    filter := &sessionsmodels.IdsecSMSessionsFilter{
        Search: "status IN Active",
    }
    // Get all active sessions
    activeSessions, err := sessionsService.CountBy(filter)
    if err != nil {
        panic(err)
    }
    fmt.Printf("Total Active Sessions: %d\n", activeSessions)
}

Policy

In this example we authenticate to our ISP tenant and create a DB policy:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/common"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/policy"
    policycommomodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/common/models"
    policydbmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/db/models"
    dbmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/workspacesdb/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    policyAPI, err := policy.NewIdsecPolicyAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := policyAPI.Db().CreatePolicy(
        &policydbmodels.IdsecPolicyDBAccessPolicy{
            IdsecPolicyInfraCommonAccessPolicy: policycommomodels.IdsecPolicyInfraCommonAccessPolicy{
                IdsecPolicyCommonAccessPolicy: policycommomodels.IdsecPolicyCommonAccessPolicy{
                    Metadata: policycommomodels.IdsecPolicyMetadata{
                        Name:        "Example DB Access Policy",
                        Description: "This is an example of a DB access policy for Infrastructure.",
                        Status: policycommomodels.IdsecPolicyStatus{
                            Status: policycommomodels.StatusTypeActive,
                        },
                        PolicyEntitlement: policycommomodels.IdsecPolicyEntitlement{
                            TargetCategory: commonmodels.CategoryTypeDB,
                            LocationType:   commonmodels.WorkspaceTypeFQDNIP,
                            PolicyType:     policycommomodels.PolicyTypeRecurring,
                        },
                        PolicyTags: []string{},
                    },
                    Principals: []policycommomodels.IdsecPolicyPrincipal{
                        {
                            Type:                policycommomodels.PrincipalTypeUser,
                            ID:                  "user-id",
                            Name:                "user@cyberark.cloud.12345",
                            SourceDirectoryName: "CyberArk",
                            SourceDirectoryID:   "12345",
                        },
                    },
                },
                Conditions: policycommomodels.IdsecPolicyInfraCommonConditions{
                    IdsecPolicyConditions: policycommomodels.IdsecPolicyConditions{
                        AccessWindow: policycommomodels.IdsecPolicyTimeCondition{
                            DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                            FromHour:      "09:00",
                            ToHour:        "17:00",
                        },
                        MaxSessionDuration: 4,
                    },
                    IdleTime: 10,
                },
            },
            Targets: map[string]policydbmodels.IdsecPolicyDBTargets{
                commonmodels.WorkspaceTypeFQDNIP: {
                    Instances: []policydbmodels.IdsecPolicyDBInstanceTarget{
                        {
                            InstanceName:         "example-db-instance",
                            InstanceType:         dbmodels.FamilyTypeMSSQL,
                            InstanceID:           "1",
                            AuthenticationMethod: policydbmodels.AuthMethodLDAPAuth,
                            LDAPAuthProfile: &policydbmodels.IdsecPolicyDBLDAPAuthProfile{
                                AssignGroups: []string{"mygroup"},
                            },
                        },
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

In this example we authenticate to our ISP tenant and create a VM policy:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/common"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/policy"
    policycommomodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/common/models"
    policyvmmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/vm/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    policyAPI, err := policy.NewIdsecPolicyAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := policyAPI.VM().CreatePolicy(
        &policyvmmodels.IdsecPolicyVMAccessPolicy{
            IdsecPolicyInfraCommonAccessPolicy: policycommomodels.IdsecPolicyInfraCommonAccessPolicy{
                IdsecPolicyCommonAccessPolicy: policycommomodels.IdsecPolicyCommonAccessPolicy{
                    Metadata: policycommomodels.IdsecPolicyMetadata{
                        Name:        "Example VM Access Policy",
                        Description: "This is an example of a VM access policy for Infrastructure.",
                        Status: policycommomodels.IdsecPolicyStatus{
                            Status: policycommomodels.StatusTypeActive,
                        },
                        PolicyEntitlement: policycommomodels.IdsecPolicyEntitlement{
                            TargetCategory: commonmodels.CategoryTypeVM,
                            LocationType:   commonmodels.WorkspaceTypeFQDNIP,
                            PolicyType:     policycommomodels.PolicyTypeRecurring,
                        },
                        PolicyTags: []string{},
                    },
                    Principals: []policycommomodels.IdsecPolicyPrincipal{
                        {
                            Type:                policycommomodels.PrincipalTypeUser,
                            ID:                  "user-id",
                            Name:                "user@cyberark.cloud.12345",
                            SourceDirectoryName: "CyberArk",
                            SourceDirectoryID:   "12345",
                        },
                    },
                },
                Conditions: policycommomodels.IdsecPolicyInfraCommonConditions{
                    IdsecPolicyConditions: policycommomodels.IdsecPolicyConditions{
                        AccessWindow: policycommomodels.IdsecPolicyTimeCondition{
                            DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                            FromHour:      "09:00",
                            ToHour:        "17:00",
                        },
                        MaxSessionDuration: 4,
                    },
                    IdleTime: 10,
                },
            },
            Targets: policyvmmodels.IdsecPolicyVMPlatformTargets{
                FQDNIPResource: &policyvmmodels.IdsecPolicyVMFQDNIPResource{
                    FQDNRules: []policyvmmodels.IdsecPolicyVMFQDNRule{
                        {
                            Operator:            policyvmmodels.VMFQDNOperatorExactly,
                            ComputernamePattern: "example-vm",
                            Domain:              "mydomain.com",
                        },
                    },
                },
            },
            Behavior: policyvmmodels.IdsecPolicyVMBehavior{
                SSHProfile: &policyvmmodels.IdsecPolicyVMSSHProfile{
                    Username: "root",
                },
                RDPProfile: &policyvmmodels.IdsecPolicyVMRDPProfile{
                    LocalEphemeralUser: &policyvmmodels.IdsecPolicyVMEphemeralUser{
                        AssignGroups: []string{"Remote Desktop Users"},
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

In this example we authenticate to our ISP tenant and create a Cloud Access policy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/common"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/policy"
    policycloudaccessmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/cloudaccess/models"
    commonpolicymodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/common/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    policyAPI, err := policy.NewIdsecPolicyAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := policyAPI.CloudAccess().CreatePolicy(
        &policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleAccessPolicy{
            IdsecPolicyCommonAccessPolicy: commonpolicymodels.IdsecPolicyCommonAccessPolicy{
                Metadata: commonpolicymodels.IdsecPolicyMetadata{
                    Name:        "Example SCA Access Policy",
                    Description: "This is an example of a SCA access policy.",
                    Status: commonpolicymodels.IdsecPolicyStatus{
                        Status: commonpolicymodels.StatusTypeValidating,
                    },
                    PolicyEntitlement: commonpolicymodels.IdsecPolicyEntitlement{
                        TargetCategory: commonmodels.CategoryTypeCloudConsole,
                        LocationType:   commonmodels.WorkspaceTypeAWS,
                        PolicyType:     commonpolicymodels.PolicyTypeRecurring,
                    },
                    PolicyTags: []string{},
                },
                Principals: []commonpolicymodels.IdsecPolicyPrincipal{
                    {
                        Type:                commonpolicymodels.PrincipalTypeUser,
                        ID:                  "user-id",
                        Name:                "user@cyberark.cloud.12345",
                        SourceDirectoryName: "CyberArk",
                        SourceDirectoryID:   "12345",
                    },
                },
            },
            Conditions: policycloudaccessmodels.IdsecPolicyCloudAccessConditions{
                IdsecPolicyConditions: commonpolicymodels.IdsecPolicyConditions{
                    AccessWindow: commonpolicymodels.IdsecPolicyTimeCondition{
                        DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                        FromHour:      "09:00:00",
                        ToHour:        "17:00:00",
                    },
                    MaxSessionDuration: 4,
                },
            },
            Targets: policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleTarget{
                AwsAccountTargets: []policycloudaccessmodels.IdsecPolicyCloudAccessAWSAccountTarget{
                    {
                        IdsecPolicyCloudAccessTarget: policycloudaccessmodels.IdsecPolicyCloudAccessTarget{
                            RoleID:        "arn:aws:iam::123456789012:role/ExampleRole",
                            RoleName:      "ExampleRole",
                            WorkspaceID:   "123456789012",
                            WorkspaceName: "ExampleWorkspace",
                        },
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

Shortened connection string

In this example we authenticate to our ISP tenant and generate a shortened connection string:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package main

import (
    "fmt"
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    shortenedconnectionstringmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/shortenedconnectionstring/models"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/shortenedconnectionstring"
    "os"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // Generate a shortened connection string
    shortenedConnectionStringService, err := shortenedconnectionstring.NewIdsecSIAShortenedConnectionStringService(ispAuth)
    if err != nil {
        panic(err)
    }
    shortenedConnectionString, err := shortenedConnectionStringService.Generate(
        &shortenedconnectionstringmodels.IdsecSIAGenerateShortenedConnectionString{
            RawConnectionString: "jack.sparrow@caribbean.airlines#caribbean-airlines@the.black.pearl.com103639",
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Shortened Connection String: %s\n", shortenedConnectionString.ShortenedConnectionString)
}

SIA certificate

In this example we authenticate to our ISP tenant and add a certificate:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/sia"
    certificatesmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/certificates/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }
    siaAPI, err := sia.NewIdsecSIAAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }

    // Add a new certificate
    cert, err := siaAPI.Certificates().AddCertificate(
        &certificatesmodels.IdsecSIACertificatesAddCertificate{
            CertName:        "My New SIA Certificate",
            CertDescription: "Certificate added via SDK example",
            File:            "/path/to/file",
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Added certificate: %+v\n", cert)
}

SIA SSH connect

In this example we authenticate to our ISP tenant and use the SIA SSH service to connect to a target host through the SIA SSH gateway. The service requests a short-lived SSH key from the SSO service in-memory, stages it into a temporary file with 0600 permissions for the lifetime of the spawned ssh child process, and removes it on exit — the key never lives in ~/.ssh and never needs manual cleanup.

The Connect entry point covers two modes:

  • Interactive terminal — leave Command empty. stdin/stdout/stderr are wired to the current process, matching the UX of the DB service's interactive psql/mysql/sqlcmd clients.
  • Single remote command — set Command to the command line that should run on the target. Use ForceTTY: true when the remote command needs a TTY (for example sudo prompting for a password).

AllowCaching: true reuses a previously-issued short-lived SSH key from the SSO keyring cache (alongside the other short-lived token types) rather than fetching a fresh one on every call. ExtraArgs is passed through verbatim to the SSH client, so callers can add -L, -p, -o StrictHostKeyChecking=..., etc., without API changes.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/sia"
    sshmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/sia/ssh/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }
    siaAPI, err := sia.NewIdsecSIAAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }

    // Mode 1: run a single command on the remote target through the SIA SSH
    // gateway. Output is streamed to this process' stdout/stderr.
    fmt.Println("Running single command via SIA SSH gateway...")
    if err := siaAPI.Ssh().Connect(&sshmodels.IdsecSIASSHConnectExecution{
        IdsecSIASSHBaseExecution: sshmodels.IdsecSIASSHBaseExecution{
            TargetAddress:  "10.0.0.42",
            TargetUsername: "ec2-user",
        },
        Command: "uname -a && id",
    }); err != nil {
        panic(err)
    }

    // Mode 2: run a privileged remote command that needs a TTY (sudo with a
    // password prompt). ForceTTY translates to `ssh -t`.
    fmt.Println("Running privileged remote command via SIA SSH gateway...")
    if err := siaAPI.Ssh().Connect(&sshmodels.IdsecSIASSHConnectExecution{
        IdsecSIASSHBaseExecution: sshmodels.IdsecSIASSHBaseExecution{
            TargetAddress:  "10.0.0.42",
            TargetUsername: "ec2-user",
            NetworkName:    "prod-network",
        },
        Command:  "sudo systemctl status nginx",
        ForceTTY: true,
    }); err != nil {
        panic(err)
    }

    // Mode 3: open an interactive terminal session through the SIA SSH
    // gateway. Omit Command to get an interactive shell — stdin/stdout/stderr
    // are wired to the parent process, matching the UX of the DB service's
    // interactive clients. AllowCaching reuses a previously-issued short-lived
    // SSH key from the SSO keyring cache when present. ExtraArgs is passed
    // through verbatim to the SSH client.
    fmt.Println("Opening interactive SSH terminal via SIA SSH gateway...")
    if err := siaAPI.Ssh().Connect(&sshmodels.IdsecSIASSHConnectExecution{
        IdsecSIASSHBaseExecution: sshmodels.IdsecSIASSHBaseExecution{
            TargetAddress:  "10.0.0.42",
            TargetUsername: "ec2-user",
            TargetPort:     2222,
        },
        AllowCaching: true,
        ExtraArgs:    []string{"-L", "8080:127.0.0.1:80"},
    }); err != nil {
        panic(err)
    }
}

pCloud Import Target Platform

In this example we authenticate to our ISP tenant and add a certificate:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/pcloud"
    targetplatformsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/pcloud/targetplatforms/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // Import and get the target platform
    pcloudAPI, err := pcloud.NewIdsecPCloudAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    importedPlatform, err := pcloudAPI.TargetPlatforms().Import(
        &targetplatformsmodels.IdsecPCloudImportTargetPlatform{PlatformZipPath: "/path/to/platform.zip"},
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Imported platform: %v\n", importedPlatform)
}

Identity Policy

In this example we authenticate to our ISP tenant and create an authentication profile and policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package main

import (
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/identity"
    authprofilesmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/identity/authprofiles/models"
    policymodels "github.com/cyberark/idsec-sdk-golang/pkg/services/identity/policies/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    // Create auth profile
    identityAPI, err := identity.NewIdsecIdentityAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    authProfile, err := identityAPI.AuthProfiles().CreateAuthProfile(&authprofilesmodels.IdsecIdentityCreateAuthProfile{
        AuthProfileName:   "My Auth Profile",
        FirstChallenges:   []string{"UP"},
        SecondChallenges:  []string{"EMAIL"},
        DurationInMinutes: 60,
    })
    if err != nil {
        panic(err)
    }
    policy, err := identityAPI.Policies().CreatePolicy(&policymodels.IdsecIdentityCreatePolicy{
        PolicyName:      "My Identity Policy",
        PolicyStatus:    policymodels.PolicyStatusActive,
        Description:     "This is my identity policy",
        RoleNames:       []string{"Admin", "User"},
        AuthProfileName: authProfile.AuthProfileName,
        Settings: map[string]interface{}{
            "/Core/Authentication/IwaSetKnownEndpoint":  "false",
            "/Core/Authentication/IwaSatisfiesAllMechs": "false",
            "/Core/Authentication/AllowZso":             "true",
            "/Core/Authentication/ZsoSkipChallenge":     "true",
            "/Core/Authentication/ZsoSetKnownEndpoint":  "false",
            "/Core/Authentication/ZsoSatisfiesAllMechs": "false",
        },
    })
    if err != nil {
        panic(err)
    }
    println("Policy created with name:", policy.PolicyName)
}

Identity User Attributes

In this example we authenticate to our ISP tenant and manage user attributes schema, create a user and set its attributes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package main

import (
    "fmt"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/identity"
    usersmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/identity/users/models"

    "os"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    identityAPI, err := identity.NewIdsecIdentityAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    user, err := identityAPI.Users().Create(&usersmodels.IdsecIdentityCreateUser{Username: "myuser"})
    if err != nil {
        panic(err)
    }
    userSchema, err := identityAPI.Users().UpsertAttributesSchema(&usersmodels.IdsecIdentityUpsertUserAttributesSchema{
        Columns: []usersmodels.IdsecIdentityUserAttributesSchemaColumn{
            {Name: "department_attr1", Type: "string", Description: "Department attribute 1"},
            {Name: "location_attr2", Type: "string", Description: "Location attribute 2"},
        },
    })
    if err != nil {
        panic(err)
    }
    userAttributes, err := identityAPI.Users().UpsertAttributes(&usersmodels.IdsecIdentityUpsertUserAttributes{
        UserID: user.UserID,
        Attributes: map[string]string{
            "department_attr1": "engineering",
            "location_attr2":   "NYC",
        },
    })
    if err != nil {
        panic(err)
    }
    fmt.Printf("User Attributes for user %s: %+v\n", user.Username, userAttributes.Attributes)
    fmt.Printf("User: %v\n", user)
    fmt.Printf("User Attributes Schema: %v\n", userSchema)
}

Identity Webapps

OAuth2 Server Webapp

In this example we authenticate to our ISP tenant and import an oauth2 webapp, and update permissions

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
package main

import (
    "encoding/json"
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/common"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/identity"
    webappsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/identity/webapps/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }
    identityAPI, err := identity.NewIdsecIdentityAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    // Import the OAuth Server template and configure it as an example
    app, err := identityAPI.Webapps().Import(
        &webappsmodels.IdsecIdentityImportWebapp{
            IdsecIdentityWebappAppsConfiguration: webappsmodels.IdsecIdentityWebappAppsConfiguration{
                OAuthProfile: &webappsmodels.IdsecIdentityWebappOAuthProfile{ // #nosec G101
                    AllowedAuth: []string{
                        "ClientCreds",
                    },
                    Audience: common.Ptr("company://audience"),
                    Issuer:   common.Ptr("mycompany.com"),
                    KnownScopes: []webappsmodels.IdsecIdentityWebappOAuthScope{
                        {
                            Scope:       "scope1",
                            Description: "Scope 1",
                        },
                    },
                    TokenType:           "JwtRS256",
                    TokenLifetimeString: "0.05:00:00",
                },
            },
            TemplateName: "OAuth2Server",
            WebappName:   common.Ptr("OAuth App"),
            ServiceName:  common.Ptr("app_id"),
        },
    )
    if err != nil {
        panic(err)
    }
    appJson, err := json.MarshalIndent(app, "", "  ")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Imported App Result:\n%s\n", string(appJson))

    // Configure permissions
    perms, err := identityAPI.Webapps().SetPermissions(&webappsmodels.IdsecIdentitySetWebappPermissions{
        WebappID: app.WebappID,
        Grants: []webappsmodels.IdsecIdentityWebappGrant{
            {
                Principal:     "user@cyberark.cloud.12345",
                PrincipalType: "User",
                Rights: []string{
                    webappsmodels.GrantRightAdmin,
                    webappsmodels.GrantRightGrant,
                    webappsmodels.GrantRightView,
                    webappsmodels.GrantRightViewDetail,
                    webappsmodels.GrantRightExecute,
                    webappsmodels.GrantRightAutomatic,
                    webappsmodels.GrantRightDelete,
                },
            },
        },
    })
    if err != nil {
        panic(err)
    }
    permsJson, err := json.MarshalIndent(perms, "", "  ")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Set Permissions Result:\n%s\n", string(permsJson))
}

AWS Webapp

In this example we authenticate to our ISP tenant and import an aws user password webapp, once with normal credentials, and once with credentials coming from pCloud, and update permissions

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
package main

import (
    "encoding/json"
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/common"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/identity"
    webappsmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/identity/webapps/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }
    identityAPI, err := identity.NewIdsecIdentityAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }

    // Get the template and print it out
    template, err := identityAPI.Webapps().GetTemplate(&webappsmodels.IdsecIdentityGetWebappTemplate{
        WebappTemplateName: "Amazon AWS",
    })
    if err != nil {
        panic(err)
    }
    templateJson, err := json.MarshalIndent(template, "", "  ")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Webapp Template:\n%s\n", string(templateJson))

    // Import the template and configure with the AWS Account
    importedWebapp, err := identityAPI.Webapps().Import(&webappsmodels.IdsecIdentityImportWebapp{
        TemplateName: "Amazon AWS",
        WebappName:   common.Ptr("AWS App Normal"),
        Description:  common.Ptr("This is my imported AWS app"),
        IdsecIdentityWebappAppsConfiguration: webappsmodels.IdsecIdentityWebappAppsConfiguration{
            AdditionalIdentifierValue: common.Ptr("123456789234"),
            UserNameStrategy:          common.Ptr("Fixed"),
            Username:                  common.Ptr("awsuser"),
            Password:                  common.Ptr("mypass"),
        },
        IdsecIdentityWebappPolicyConfiguration: webappsmodels.IdsecIdentityWebappPolicyConfiguration{
            WebAppLoginType:    common.Ptr("AuthenticationRule"),
            DefaultAuthProfile: common.Ptr("AlwaysAllowed"),
            AuthRules: &webappsmodels.IdsecIdentityWebappPolicyAuthRule{
                Enabled:   true,
                Type:      "RowSet",
                UniqueKey: "Condition",
                Value: []webappsmodels.IdsecIdentityWebappPolicyAuthRuleConditions{
                    {
                        Conditions: []webappsmodels.IdsecIdentityWebappPolicyAuthRuleCondition{
                            {
                                Op:   common.Ptr("OpInCorpIpRange"),
                                Prop: common.Ptr("IpAddress"),
                            },
                        },
                        ProfileId: common.Ptr("13e3bc1a-6ff7-4b7d-ae90-0ed21d3c393e"),
                    },
                },
            },
        },
    })
    if err != nil {
        panic(err)
    }
    importedWebappJson, err := json.MarshalIndent(importedWebapp, "", "  ")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Imported Webapp:\n%s\n", string(importedWebappJson))

    // Import another template and configure with the AWS Account and Credentials from pCloud
    importedpCloudWebapp, err := identityAPI.Webapps().Import(&webappsmodels.IdsecIdentityImportWebapp{
        TemplateName: "Amazon AWS",
        WebappName:   common.Ptr("AWS App pCloud"),
        Description:  common.Ptr("This is my imported AWS app"),
        IdsecIdentityWebappAppsConfiguration: webappsmodels.IdsecIdentityWebappAppsConfiguration{
            AdditionalIdentifierValue: common.Ptr("123456789234"),
            UserNameStrategy:          common.Ptr("Fixed"),
            Safe:                      common.Ptr("mysafe"),
            AccountName:               common.Ptr("myaccount"),
            ExtAccountId:              common.Ptr("123_456"),
            IsPrivilegedApp:           common.Ptr(true),
        },
        IdsecIdentityWebappPolicyConfiguration: webappsmodels.IdsecIdentityWebappPolicyConfiguration{
            WebAppLoginType:    common.Ptr("AuthenticationRule"),
            DefaultAuthProfile: common.Ptr("AlwaysAllowed"),
            AuthRules: &webappsmodels.IdsecIdentityWebappPolicyAuthRule{
                Enabled:   true,
                Type:      "RowSet",
                UniqueKey: "Condition",
                Value: []webappsmodels.IdsecIdentityWebappPolicyAuthRuleConditions{
                    {
                        Conditions: []webappsmodels.IdsecIdentityWebappPolicyAuthRuleCondition{
                            {
                                Op:   common.Ptr("OpInCorpIpRange"),
                                Prop: common.Ptr("IpAddress"),
                            },
                        },
                        ProfileId: common.Ptr("13e3bc1a-6ff7-4b7d-ae90-0ed21d3c393e"),
                    },
                },
            },
        },
    })
    if err != nil {
        panic(err)
    }
    importedpCloudWebappJson, err := json.MarshalIndent(importedpCloudWebapp, "", "  ")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Imported pCloud Webapp:\n%s\n", string(importedpCloudWebappJson))

    // Configure permissions for Normal AWS App
    perms, err := identityAPI.Webapps().SetPermissions(&webappsmodels.IdsecIdentitySetWebappPermissions{
        WebappID: importedWebapp.WebappID,
        Grants: []webappsmodels.IdsecIdentityWebappGrant{
            {
                Principal:     "user@cyberark.cloud.12345",
                PrincipalType: "User",
                Rights: []string{
                    webappsmodels.GrantRightAdmin,
                    webappsmodels.GrantRightGrant,
                    webappsmodels.GrantRightView,
                    webappsmodels.GrantRightViewDetail,
                    webappsmodels.GrantRightExecute,
                    webappsmodels.GrantRightAutomatic,
                    webappsmodels.GrantRightDelete,
                },
            },
        },
    })
    if err != nil {
        panic(err)
    }
    permsJson, err := json.MarshalIndent(perms, "", "  ")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Set Permissions Result:\n%s\n", string(permsJson))

    // Configure permissions for pCloud AWS App
    pCloudPerms, err := identityAPI.Webapps().SetPermissions(&webappsmodels.IdsecIdentitySetWebappPermissions{
        WebappID: importedpCloudWebapp.WebappID,
        Grants: []webappsmodels.IdsecIdentityWebappGrant{
            {
                Principal:     "user@cyberark.cloud.12345",
                PrincipalType: "User",
                Rights: []string{
                    webappsmodels.GrantRightAdmin,
                    webappsmodels.GrantRightGrant,
                    webappsmodels.GrantRightView,
                    webappsmodels.GrantRightViewDetail,
                    webappsmodels.GrantRightExecute,
                    webappsmodels.GrantRightAutomatic,
                    webappsmodels.GrantRightDelete,
                },
            },
        },
    })
    if err != nil {
        panic(err)
    }
    pCloudPermsJson, err := json.MarshalIndent(pCloudPerms, "", "  ")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Set Permissions pCloud Result:\n%s\n", string(pCloudPermsJson))
}