wingetCollections
  • Auto
  • Search
  • Awesome Collections
  • Awesome Programs
  • My Favorite Collections
  • My Collections
  • Account / Settings
  • Terms of Service
  • Privacy
  • About

© 2025 winget.ragerworks.com

Loading...
Install cybr-cli using Winget - wingetCollections
  1. Go back
  2. Packages
  3. cybr-cli
cybr-cli logo

cybr-cli Joe Garcia

aam aim ccp cem cli cloud conjur cyberark identity privilege secrets
Use this command to install cybr-cli:
winget install --id=InfamousJoeG.cybr-cli -e

A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with CyberArk suite of products. Products supported include Identity Security Platform Shared Services (ISPSS), Privilege Cloud (PCloud), Self-Hosted Privilege (PAM), Central Credential Provider (CCP), Conjur Secrets Manager, and Cloud Entitlments Manager (CEM).

Cybr-cli is a command-line interface (CLI) tool designed to facilitate interaction with CyberArk's suite of products. It serves as a versatile tool for both human users and automated systems, enabling seamless integration and management across various CyberArk solutions.

Key Features:

  • Supports multiple CyberArk products including Identity Security Platform Shared Services (ISPSS), Privilege Cloud (PCloud), Self-Hosted Privileged Access Manager (PAM), Central Credential Provider (CCP), Conjur Secrets Manager, and Cloud Entitlements Manager (CEM).

README

cybr-cli

image

A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with CyberArk's suite of products.

Current products supported:

  • CyberArk Identity Security Platform Shared Services (ISPSS)
  • CyberArk Privilege Cloud SaaS
  • CyberArk Self-Hosted Privileged Access Manager (PAM)
  • CyberArk Secrets Manager Central Credential Provider (CCP)
  • CyberArk Conjur Secrets Manager Enterprise & Open Source
  • CyberArk Cloud Entitlements Manager (Free trial)

Want to get dangerous quickly? Check out the example bash script at dev/add-delete-pas-application.sh.

cybr-cli CI Quality Gate Status CodeQL

Table of Contents

  • Install
    • MacOS
    • Windows
      • Linux
    • AWS CloudShell
    • Install from Source
  • Usage
    • Authenticating with authn-iam (AWS IAM Role Authentication)
Versions
1.0.2
1.0.1
1.0.0
Website
github.com
License
Last Updated
5/15/2025
  • Enables password management, safe administration, and auditing operations.
  • Provides support for different authentication methods including password-based, multi-factor authentication (MFA), and AWS IAM role-based authentication.

    • Audience & Benefit: Ideal for DevOps engineers, security teams, and organizations utilizing CyberArk products. Cybr-cli enhances operational efficiency by automating routine tasks and providing a unified interface for managing CyberArk resources. It streamlines integration with existing workflows and systems, reducing manual intervention and potential errors.

    Installable via winget for Windows users, cybr-cli offers flexibility and ease of use across different environments.

  • Authenticating to Privilege Cloud via ISPSS (Identity)
    • Password Authentication
    • MFA Authentication
  • Documentation
  • Autocomplete
  • Example Source Code
    • Logon to the PAS REST API Web Service
  • Security
    • cybr safes add-member --role Role Permissions
  • Testing
  • Maintainers
  • Contributions
  • License

    • Install

    MacOS

    $ brew tap infamousjoeg/tap
$ brew install cybr-cli

    Windows

    $ winget install InfamousJoeG.cybr-cli

    Linux

    Download from the Releases page.

    AWS CloudShell

    mkdir -p ~/.local/bin && \
curl --silent "https://api.github.com/repos/infamousjoeg/cybr-cli/releases/latest" |
    grep '"tag_name":' |
    sed -E 's/.*"([^"]+)".*/\1/' |
    xargs -I {}  curl -o ~/.local/bin/cybr -sOL "https://github.com/infamousjoeg/cybr-cli/releases/download/"{}'/linux_cybr' && \
chmod +x ~/.local/bin/cybr

    Install from Source

    $ git clone https://github.com/infamousjoeg/pas-api-go.git
$ make install
$ cybr help

    Usage

    • $ cybr help for top-level commands list
    • $ cybr [command] -h for specific command details and sub-commands list

    Authenticating with authn-iam (AWS IAM Role Authentication)

    Set the following environment variables:

    • CONJUR_ACCOUNT - The Conjur account name
    • CONJUR_APPLIANCE_URL - The URL of the Conjur service (e.g. https://conjur.example.com)
    • CONJUR_AUTHN_LOGIN - The Host ID for the IAM role (e.g. host/cloud/aws/ec2/1234567890/ConjurAWSRoleEC2)
    • CONJUR_AUTHENTICATOR - The authenticator ID (e.g. authn-iam)
    • CONJUR_AUTHN_SERVICE_ID - The authenticator web service ID (e.g. prod)
    • CONJUR_AWS_TYPE - The AWS type (e.g. ec2 or ecs or lambda)

    Once environment variables are set, ensure no .conjurrc or .netrc exists in the user's home directory:

    rm -f ~/.conjurrc ~/.netrc

    Then run any command you wish to run within cybr conjur. Use the --help flag to see all available commands.

    Authenticating to Privilege Cloud via ISPSS (Identity)

    You will need to know the following information to authenticate to Privilege Cloud via ISPSS: * -b, --base-url - The base URL of CyberArk Cloud (e.g. https://example.cyberark.cloud or https://example.privilegecloud.cyberark.cloud) * -u, --username - The username of the Privilege Cloud user (e.g. joe.garcia@cyberark.cloud.1234)

    Password Authentication

    $ cybr logon -u joe.garcia@cyberark.cloud.1234 -a identity -b https://example.cyberark.cloud
+ Challenge #1
Enter password:

    After providing the password, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.

    MFA Authentication

    If MFA is required, the CLI will prompt for the challenge method to use out of those available:

    $ cybr logon -u joe.garcia@cyberark.cloud.1234 -a identity -b https://example.cyberark.cloud
+ Challenge #1
Enter password:
+ Challenge #2
1. Email... @joe-garcia.com
2. SMS... XXX-1234
> 2
Enter code: 12341234

    After providing the MFA code, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.

    Documentation

    All commands are documentated in the docs/ directory.

    Autocomplete

    The cybr CLI has a completion command that can be used to enable autocomplete for the CLI. The completion command is dependant on your shell type. Currently the only shells that are supported are: bash, zsh, fish and powershell.

    Below is an example on how to enable cybr cli auto-completion from a zsh shell.

    # enable shell completetion. Only needs to be performed once.
echo "autoload -U compinit; compinit" >> ~/.zshrc

# create and write the auto-completion script.
# ${fpath[1]} '1' may be different depending on your environment.
cybr completion zsh > "${fpath[1]}/_cybr"

    If you are using a different shell execute the completion command with the --help flag and follow instructions for the desired shell type.

    cybr completion --help

    Example Source Code

    Logon to the PAS REST API Web Service

    package main

import (
	"fmt"
	"log"
	"os"

	pasapi "github.com/infamousjoeg/pas-api-go/pkg/cybr/api"
)

var (
	hostname = os.Getenv("PAS_BASE_URL")
	username = os.Getenv("PAS_USERNAME")
	password = os.Getenv("PAS_PASSWORD")
	authType = os.Getenv("PAS_AUTH_TYPE")
)

func main() {
	// Logon to PAS REST API Web Services
	token, errLogon := pasapi.Logon(hostname, username, password, authType, false)
	if errLogon != nil {
		log.Fatalf("Authentication failed. %s", errLogon)
	}
	fmt.Printf("Session Token:\r\n%s\r\n\r\n", token)
}

    Security

    If there is a security concern or bug discovered, please responsibly disclose all information to joe (dot) garcia (at) cyberark (dot) com.

    cybr safes add-member --role Role Permissions

    All safe member roles defined below are based on best practices and recommendations put forth by CyberArk's PAS Programs Office, creators of the CyberArk Blueprint for Identity Security.

    RoleSafe Authorizations
    BreakGlassAll authorizations except Authorize Password Requests
    VaultAdmin- List Accounts- View Audit Log- View Safe Members
    SafeManager- Manage Safe- Manage Safe Members- View Audit Log- View Safe Members- Access Safe w/o Confirmation
    EndUser- Use/Retrieve/List Accounts- View Audit Log- View Safe Members
    Auditor- List Accounts- View Audit Log- View Safe Members
    AIMWebServiceNo authorizations
    AppProvider- Retrieve/List Accounts- View Safe Members
    ApplicationIdentity- Retrieve/List Accounts
    AccountProvisioner- List/Add/Delete Accounts- Update Password Properties- Initiate CPM Password Management Operations- View Audit Log- View Safe Members- Access Safe w/o Confirmation
    CPDeployer- List/Add Accounts- Update Password Properties- Initiate CPM Password Management Operations- Manage Safe Member- View Audit Log, View Safe Members- Access Safe w/o Confirmation
    ComponentOrchestrator- List/Add Accounts- Update Password Properties- Initiate CPM Password Management Operations- View Audit Log- Access Safe w/o Confirmation
    APIAutomation- List/Add/Rename/Delete/Unlock Accounts- Update Password Content/Properties- Initiate CPM Password Management Operations- Manage Safe- Manage Safe Members- View Audit Log- View Safe Members- Create/Delete Folders- Move Accounts/Folders
    PasswordScheduler- List Accounts- Initiate CPM Password Management Operation- View Audit Log- View Safe Members- Access Safe w/o Confirmation
    ApproverLevel1- List Accounts- View Audit Log- View Safe Members- Authorize Password Requests (Level 1)
    ApproverLevel2- List Acccounts- View Audit Log- View Safe Members- Authorize Password Requests (Level 2)

    Testing

    To vet the code, run make vet. To test the code, run make test. To run all tests, run make test-all.

    Maintainers

    @infamousjoeg

    Buy me a coffee

    @AndrewCopeland

    Contributions

    Pull Requests are currently being accepted. Please read and follow the guidelines laid out in CONTRIBUTING.md.

    License

    Apache 2.0