Skip to content
Learni
View all tutorials
Sécurité & IAM

How to Automate CyberArk with API in 2026

18 minADVANCED
SécuritéAPICyberArk
Lire en français

Introduction

CyberArk is the leading solution for privileged access management (PAM). In 2026, automation via its REST API reduces risks and accelerates deployments. This tutorial guides you through advanced configuration, OAuth authentication, and account orchestration. You will learn how to create reliable scripts for password rotation and policy management. Each step includes concrete, functional examples tailored to enterprise environments.

Prerequisites

  • CyberArk account with admin rights and API enabled
  • PowerShell 7+ and Python 3.11+
  • Advanced knowledge of OAuth2 and REST
  • Access to the Vault and PVWA
  • Tools: Postman or curl for initial tests

OAuth2 Configuration

oauth-config.json
{
  "client_id": "your-client-id",
  "client_secret": "your-client-secret",
  "grant_type": "client_credentials",
  "scope": "privilegeaccess"
}

This JSON file defines the OAuth2 credentials required to authenticate API calls. Store it securely and never commit it to version control.

PowerShell Authentication

Connect-CyberArk.ps1
$body = Get-Content -Raw -Path '.\oauth-config.json' | ConvertFrom-Json
$tokenResponse = Invoke-RestMethod -Uri 'https://your-pvwa.com/PasswordVault/API/auth/OAuth2/Token' -Method Post -Body $body -ContentType 'application/json'
$headers = @{ 'Authorization' = "Bearer $($tokenResponse.access_token)" }

This PowerShell script retrieves an access token and prepares headers for all subsequent API calls. Handle 401 errors with a refresh mechanism.

Connection Test

Run the PowerShell script to validate authentication. Confirm that the token is received and API permissions are correct before proceeding to account management operations.

Retrieving Accounts

get_accounts.py
import requests
import json

headers = {'Authorization': 'Bearer YOUR_TOKEN'}
response = requests.get('https://your-pvwa.com/PasswordVault/API/Accounts', headers=headers)
print(json.dumps(response.json(), indent=2))

This Python script lists all accounts managed in the Vault. Filter by Safe or platform for more precise queries in production.

Password Rotation

Rotate-Password.ps1
$accountId = '12345'
$body = @{ reason = 'Rotation planifiée' } | ConvertTo-Json
Invoke-RestMethod -Uri "https://your-pvwa.com/PasswordVault/API/Accounts/$accountId/ChangeCredentials" -Method Post -Headers $headers -Body $body -ContentType 'application/json'

This script triggers immediate password rotation via the API. Add error handling and logging for compliance audits.

Policy Configuration JSON

policy-config.json
{
  "PolicyName": "Production-Admins",
  "PlatformId": "WinServerLocal",
  "SafeName": "Prod-Admin-Safe",
  "PasswordComplexity": {
    "MinLength": 16,
    "RequireSpecial": true
  }
}

This JSON file defines a rotation and complexity policy. Import it via the API to enforce strict rules across multiple Safes.

Best Practices

  • Always use OAuth2 with secret rotation
  • Log every API call with timestamp and request ID
  • Implement retries with exponential backoff
  • Isolate credentials in a dedicated vault
  • Test scripts in a staging environment before production

Common Errors

  • Forgetting the 'privilegeaccess' scope in the OAuth request
  • Failing to handle expired tokens (401 error)
  • Using synchronous calls without timeouts
  • Ignoring API rate limits

Further Reading

Explore orchestration with CPM workflows and SIEM integrations. Discover our advanced CyberArk training.