Skip to content

Cloud Access policy SDK workflow

Here is an example workflow for adding a Cloud Access policy assets via the SDK:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/common"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/policy"
    policycloudaccessmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/cloudaccess/models"
    commonpolicymodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/common/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    policyAPI, err := policy.NewIdsecPolicyAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := policyAPI.CloudAccess().CreatePolicy(
        &policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleAccessPolicy{
            IdsecPolicyCommonAccessPolicy: commonpolicymodels.IdsecPolicyCommonAccessPolicy{
                Metadata: commonpolicymodels.IdsecPolicyMetadata{
                    Name:        "Example SCA Access Policy",
                    Description: "This is an example of a SCA access policy.",
                    Status: commonpolicymodels.IdsecPolicyStatus{
                        Status: commonpolicymodels.StatusTypeValidating,
                    },
                    PolicyEntitlement: commonpolicymodels.IdsecPolicyEntitlement{
                        TargetCategory: commonmodels.CategoryTypeCloudConsole,
                        LocationType:   commonmodels.WorkspaceTypeAWS,
                        PolicyType:     commonpolicymodels.PolicyTypeRecurring,
                    },
                    PolicyTags: []string{},
                },
                Principals: []commonpolicymodels.IdsecPolicyPrincipal{
                    {
                        Type:                commonpolicymodels.PrincipalTypeUser,
                        ID:                  "user-id",
                        Name:                "user@cyberark.cloud.12345",
                        SourceDirectoryName: "CyberArk",
                        SourceDirectoryID:   "12345",
                    },
                },
            },
            Conditions: policycloudaccessmodels.IdsecPolicyCloudAccessConditions{
                IdsecPolicyConditions: commonpolicymodels.IdsecPolicyConditions{
                    AccessWindow: commonpolicymodels.IdsecPolicyTimeCondition{
                        DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                        FromHour:      "09:00:00",
                        ToHour:        "17:00:00",
                    },
                    MaxSessionDuration: 4,
                },
            },
            Targets: policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleTarget{
                AwsAccountTargets: []policycloudaccessmodels.IdsecPolicyCloudAccessAWSAccountTarget{
                    {
                        IdsecPolicyCloudAccessTarget: policycloudaccessmodels.IdsecPolicyCloudAccessTarget{
                            RoleID:        "arn:aws:iam::123456789012:role/ExampleRole",
                            RoleName:      "ExampleRole",
                            WorkspaceID:   "123456789012",
                            WorkspaceName: "ExampleWorkspace",
                        },
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

In the script above, the following actions are defined:

  • The admin user is logged in to perform actions on the tenant
  • we then configure Cloud Access policy

Cloud Access policy with dual control

Here is an example workflow for adding a Cloud Access policy with dual control (access approval):

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
package main

import (
    "fmt"
    "os"

    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    commonmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/common"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/policy"
    policycloudaccessmodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/cloudaccess/models"
    commonpolicymodels "github.com/cyberark/idsec-sdk-golang/pkg/services/policy/common/models"
)

func main() {
    // Perform authentication using IdsecISPAuth to the platform
    // First, create an ISP authentication class
    // Afterwards, perform the authentication
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }

    policyAPI, err := policy.NewIdsecPolicyAPI(ispAuth.(*auth.IdsecISPAuth))
    if err != nil {
        panic(err)
    }
    policy, err := policyAPI.CloudAccess().CreatePolicy(
        &policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleAccessPolicy{
            IdsecPolicyCommonAccessPolicy: commonpolicymodels.IdsecPolicyCommonAccessPolicy{
                Metadata: commonpolicymodels.IdsecPolicyMetadata{
                    Name:        "Example SCA Access Policy with Dual Control",
                    Description: "This is an example of a SCA access policy with dual control.",
                    Status: commonpolicymodels.IdsecPolicyStatus{
                        Status: commonpolicymodels.StatusTypeValidating,
                    },
                    PolicyEntitlement: commonpolicymodels.IdsecPolicyEntitlement{
                        TargetCategory: commonmodels.CategoryTypeCloudConsole,
                        LocationType:   commonmodels.WorkspaceTypeAWS,
                        PolicyType:     commonpolicymodels.PolicyTypeRecurring,
                    },
                    PolicyTags: []string{},
                },
                Principals: []commonpolicymodels.IdsecPolicyPrincipal{
                    {
                        Type:                commonpolicymodels.PrincipalTypeUser,
                        ID:                  "user-id",
                        Name:                "user@cyberark.cloud.12345",
                        SourceDirectoryName: "CyberArk",
                        SourceDirectoryID:   "12345",
                    },
                },
            },
        Conditions: policycloudaccessmodels.IdsecPolicyCloudAccessConditions{
            IdsecPolicyConditions: commonpolicymodels.IdsecPolicyConditions{
                AccessWindow: commonpolicymodels.IdsecPolicyTimeCondition{
                    DaysOfTheWeek: []int{1, 2, 3, 4, 5},
                    FromHour:      "09:00:00",
                    ToHour:        "17:00:00",
                },
                MaxSessionDuration: 4,
            },
            AccessApproval: commonpolicymodels.IdsecPolicyAccessApprovalCondition{
                Required: true,
                Approvers: []commonpolicymodels.IdsecPolicyPrincipal{
                    {
                        Type:                commonpolicymodels.PrincipalTypeUser,
                        ID:                  "approver-id",
                        Name:                "approver@cyberark.cloud.12345",
                        SourceDirectoryName: "CyberArk",
                        SourceDirectoryID:   "12345",
                    },
                },
            },
        },
            Targets: policycloudaccessmodels.IdsecPolicyCloudAccessCloudConsoleTarget{
                AwsAccountTargets: []policycloudaccessmodels.IdsecPolicyCloudAccessAWSAccountTarget{
                    {
                        IdsecPolicyCloudAccessTarget: policycloudaccessmodels.IdsecPolicyCloudAccessTarget{
                            RoleID:        "arn:aws:iam::123456789012:role/ExampleRole",
                            RoleName:      "ExampleRole",
                            WorkspaceID:   "123456789012",
                            WorkspaceName: "ExampleWorkspace",
                        },
                    },
                },
            },
        },
    )
    if err != nil {
        panic(err)
    }
    fmt.Printf("Policy created successfully: %s\n", policy.Metadata.PolicyID)
}

In the script above, the following actions are defined:

  • The admin user is logged in to perform actions on the tenant
  • we then configure Cloud Access policy with dual control (access approval) requiring an approver before access is elevated