Credential Provider Secret Path Expressions
Use the path expressions on this page to implement your configured credential providers into your source configurations.
Generic Format
Specific secret path expressions vary for each individual credential provider. The generic format of a secret path can be expressed as follows:
secrets://{vault_name}/{URI_Path_to_secret}/{secretKey}?version={versionnumber}
Important
The provided example has four parts to it, each highlighted with curly braces ({ }). Each part needs to be URI-encoded separately. SailPoint does not support complete URI encoding.
Secret Path Expressions by Credential Provider
The list is divided by the credential provider, and the secret path expressions they support are listed below them.
For more information, refer to Retrieve a secret in the CyberArk documentation.
For information on how to configure the CyberArk Shared Services credential provider, refer to CyberArk Shared Services Credential Provider.
Note
The linked document is not maintained by SailPoint and is subject to change without notice.
Path syntax: {account}/{kind}/{secretKey}
For example:
Before Encoding
secrets://cyberark-cp/LDAP Safe/Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username
Important
The URL path should always start with the prefix, secrets://
. Each URL should be URL-encoded. Each URL attribute in the path is case-sensitive
After Encoding
After you encode the URL path, it should appear as follows:
secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username
The following is an explanation of the attributes of this URL:
-
cyberark-cp
– Configured Credential Provider in the Credential Provider Section -
LDAP Safe
– Name of the Safe/Container on which the Privileged Account is onboarded and that needs to be managed. -
Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount
– Name of the account configured in CyberArk Cloud Shared Services. -
username
–secretKey
which needs to be fetched from the Safe.
Tip
Use urlencoder.org to encode your URL attributes.
Path syntax: {account}/{kind}/{secretKey}
For example:
Before Encoding
secrets://cyberark-cp/LDAP Safe/Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/password
Important
The URL path should always start with the prefix, secrets://
. Each URL should be URL-encoded. Each URL attribute in the path is case-sensitive
After Encoding
After you encode the URL path, it should appear as follows:
secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/password
The following is an explanation of the components of this URL:
-
cyberark-cp
– Configured Credential Provider in the Credential Provider Section. -
LDAP Safe
– Name of the Safe/Container on which the Privileged Account is onboarded and needs to be managed. -
Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount
– Name of the account configured in CyberArk Cloud Shared Services. -
password
–secretKey
which needs to be fetched from the Safe.
Tip
Use urlencoder.org to encode your URL attributes.
If any secret paths have a prefix or a suffix, you must append a query parameter to the secret path as follows:
-
To add a prefix –
?prefix=<prefix>
For example, if the secret value returned after evaluation is
LocalAdmin
, but the complete value required by the secret field isDomainOne\LocalAdmin
then the secret path expression will be as follows to add the required prefix:secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username?prefix=DomainOne%5C
-
To add a suffix –
?suffix=<suffix>
For example, if the secret value returned after evaluation is
localadministrator
, but the complete value required by the secret field islocaladminstrator@sp.com
then the secret path expression will be as follows to add the required suffix:secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username?suffix=%40sp.com
Important
All input parameters must be encoded.