- Windows Server 2016+ or Windows 10+
- PowerShell 5.1+ (included with Windows)
- Administrator privileges
- CyberArk Identity and Secrets Hub credentials
-
Download Go
- Open web browser and go to: https://golang.org/dl/
- Download the Windows MSI installer (e.g.,
go1.21.x.windows-amd64.msi)
-
Install Go
- Run the downloaded MSI file as Administrator
- Accept all default settings
- Installation completes to
C:\Program Files\Go
-
Verify Installation
- Open PowerShell as Administrator
- Run:
go version - You should see output like:
go version go1.21.x windows/amd64
-
Install from Source
go install github.com/davidh-cyberark/secretshub-sdk-go/examples/get-secrets@latest
-
Verify Installation
get-secrets --help
get-secrets -shurl "SECRETS_HUB_URL" -idtenanturl "IDENTITY_URL" -iduser "USERNAME" -idpass "PASSWORD" [OPTIONS]-shurl: Your Secrets Hub URL (e.g.,https://tenant.secretshub.cyberark.cloud/)-idtenanturl: Your Identity tenant URL (e.g.,https://tenant.id.cyberark.cloud)-iduser: Your service account username-idpass: Your service account password
-a: Get all secrets (recommended for most use cases)-filter: Apply OData filter to results-limit: Maximum number of secrets (default: 100, max: 1000)-d: Enable debug output
get-secrets -a -shurl "https://tenant.secretshub.cyberark.cloud/" -idtenanturl "https://tenant.id.cyberark.cloud" -iduser "[email protected]" -idpass "password123" > secrets.jsonget-secrets -a -filter "vendorData.tags.value CONTAINS thevalue" -shurl "https://tenant.secretshub.cyberark.cloud/" -idtenanturl "https://tenant.id.cyberark.cloud" -iduser "[email protected]" -idpass "password123" > result.jsonget-secrets -a -filter "vendorData.tags.value CONTAINS true" -shurl "https://tenant.secretshub.cyberark.cloud/" -idtenanturl "https://tenant.id.cyberark.cloud" -iduser "[email protected]" -idpass "password123" > filtered-secrets.jsonget-secrets -a -filter "vendorType eq 'AZURE'" -shurl "https://tenant.secretshub.cyberark.cloud/" -idtenanturl "https://tenant.id.cyberark.cloud" -iduser "[email protected]" -idpass "password123" > azure-secrets.jsonCreate a file named Get-CyberArkSecrets.ps1:
param(
[Parameter(Mandatory=$true)]
[string]$SecretsHubUrl,
[Parameter(Mandatory=$true)]
[string]$IdentityUrl,
[Parameter(Mandatory=$true)]
[string]$Username,
[Parameter(Mandatory=$true)]
[string]$Password,
[string]$Filter = "",
[string]$OutputFile = "secrets-$(Get-Date -Format 'yyyyMMdd-HHmmss').json"
)
# Verify get-secrets is available
try {
& get-secrets -version | Out-Null
if ($LASTEXITCODE -ne 0) {
throw "get-secrets tool not found"
}
}
catch {
Write-Error "get-secrets tool is not installed or not in PATH"
exit 1
}
# Build arguments
$arguments = @(
"-shurl", $SecretsHubUrl,
"-idtenanturl", $IdentityUrl,
"-iduser", $Username,
"-idpass", $Password,
"-a"
)
if ($Filter) {
$arguments += "-filter", $Filter
}
# Execute command
try {
Write-Host "Retrieving secrets from CyberArk Secrets Hub..."
& get-secrets @arguments | Out-File -FilePath $OutputFile -Encoding UTF8
if ($LASTEXITCODE -eq 0) {
$secrets = Get-Content $OutputFile | ConvertFrom-Json
Write-Host "Success: Retrieved $($secrets.Count) secrets to $OutputFile"
# Display summary
$summary = $secrets | Group-Object vendorType | Select-Object Name, Count
Write-Host "`nVendor Summary:"
$summary | ForEach-Object { Write-Host " $($_.Name): $($_.Count)" }
}
else {
Write-Error "Command failed with exit code $LASTEXITCODE"
}
}
catch {
Write-Error "Failed to retrieve secrets: $($_.Exception.Message)"
exit 1
}.\Get-CyberArkSecrets.ps1 -SecretsHubUrl "https://tenant.secretshub.cyberark.cloud/" -IdentityUrl "https://tenant.id.cyberark.cloud" -Username "[email protected]" -Password "password123".\Get-CyberArkSecrets.ps1 -SecretsHubUrl "https://tenant.secretshub.cyberark.cloud/" -IdentityUrl "https://tenant.id.cyberark.cloud" -Username "[email protected]" -Password "password123" -Filter "vendorType eq 'AZURE'".\Get-CyberArkSecrets.ps1 -SecretsHubUrl "https://tenant.secretshub.cyberark.cloud/" -IdentityUrl "https://tenant.id.cyberark.cloud" -Username "[email protected]" -Password "password123" -Filter "vendorData.tags.value CONTAINS thevalue"-
Open Task Scheduler
- Press
Win + R, typetaskschd.msc, press Enter
- Press
-
Create Basic Task
- Click "Create Basic Task" in the right panel
- Name:
CyberArk Secret Retrieval - Description:
Daily retrieval of CyberArk secrets
-
Set Trigger
- Choose "Daily"
- Set desired time (e.g., 2:00 AM)
-
Set Action
- Choose "Start a program"
- Program/script:
PowerShell.exe - Arguments:
-File "C:\Scripts\Get-CyberArkSecrets.ps1" -SecretsHubUrl "https://tenant.secretshub.cyberark.cloud/" -IdentityUrl "https://tenant.id.cyberark.cloud" -Username "[email protected]" -Password "password123" - Start in:
C:\Scripts
-
Finish
- Review settings and click "Finish"
| Purpose | Filter Expression |
|---|---|
| Specific tag value | vendorData.tags.value CONTAINS thevalue |
| Boolean tagged secrets | vendorData.tags.value CONTAINS true |
| Azure secrets | vendorType eq 'AZURE' |
| AWS secrets | vendorType eq 'AWS' |
| GCP secrets | vendorType eq 'GCP' |
| Unsynced secrets | syncedByCyberArk eq false |
| Specific store | storeName eq 'my-store-name' |
Solution: Restart PowerShell or log out and back in to refresh PATH environment variable
Solution:
- Check if
%USERPROFILE%\go\binexists - Add to PATH:
$env:PATH += ";$env:USERPROFILE\go\bin"
Solution:
- Verify URLs are correct (include trailing slash for Secrets Hub URL)
- Test credentials in CyberArk Identity portal
- Ensure service account has proper permissions
Solution: Set proxy environment variables if behind corporate firewall:
$env:HTTP_PROXY = "http://proxy.company.com:8080"
$env:HTTPS_PROXY = "http://proxy.company.com:8080"- Store credentials securely using environment variables or Windows Credential Manager
- Restrict access to output files using NTFS permissions
- Run scripts with service accounts that have minimal required permissions
- Consider using CyberArk Credential Provider for production deployments
