Credential Provider Secret Path Expressions

Use the path expressions on this page to implement your configured credential providers into your source configurations.

Generic Format

Specific secret path expressions vary for each individual credential provider. The generic format of a secret path can be expressed as follows:

secrets://{vault_name}/{URI_Path_to_secret}/{secretKey}?version={versionnumber}

Important
The provided example has four parts to it, each highlighted with curly braces ({ }). Each part needs to be URI-encoded separately. SailPoint does not support complete URI encoding.

Secret Path Expressions by Credential Provider

The list is divided by the credential provider, and the secret path expressions they support are listed below them.

For more information, refer to Retrieve a secret in the CyberArk documentation.

For information on how to configure the CyberArk Shared Services credential provider, refer to CyberArk Shared Services Credential Provider.

Note
The linked document is not maintained by SailPoint and is subject to change without notice.

Path syntax: {account}/{kind}/{secretKey}

For example:

Before Encoding

secrets://cyberark-cp/LDAP Safe/Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username

Important
The URL path should always start with the prefix, secrets://. Each URL should be URL-encoded. Each URL attribute in the path is case-sensitive

After Encoding

After you encode the URL path, it should appear as follows:

secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username

The following is an explanation of the attributes of this URL:

  • cyberark-cp – Configured Credential Provider in the Credential Provider Section

  • LDAP Safe – Name of the Safe/Container on which the Privileged Account is onboarded and that needs to be managed.

  • Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount – Name of the account configured in CyberArk Cloud Shared Services.

  • usernamesecretKey which needs to be fetched from the Safe.

Tip
Use urlencoder.org to encode your URL attributes.

Path syntax: {account}/{kind}/{secretKey}

For example:

Before Encoding

secrets://cyberark-cp/LDAP Safe/Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/password

Important
The URL path should always start with the prefix, secrets://. Each URL should be URL-encoded. Each URL attribute in the path is case-sensitive

After Encoding

After you encode the URL path, it should appear as follows:

secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/password

The following is an explanation of the components of this URL:

  • cyberark-cp – Configured Credential Provider in the Credential Provider Section.

  • LDAP Safe – Name of the Safe/Container on which the Privileged Account is onboarded and needs to be managed.

  • Operating System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount – Name of the account configured in CyberArk Cloud Shared Services.

  • passwordsecretKey which needs to be fetched from the Safe.

Tip
Use urlencoder.org to encode your URL attributes.

If any secret paths have a prefix or a suffix, you must append a query parameter to the secret path as follows:

  • To add a prefix – ?prefix=<prefix>

    For example, if the secret value returned after evaluation is LocalAdmin, but the complete value required by the secret field is DomainOne\LocalAdmin then the secret path expression will be as follows to add the required prefix:

    secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username?prefix=DomainOne%5C

  • To add a suffix – ?suffix=<suffix>

    For example, if the secret value returned after evaluation is localadministrator, but the complete value required by the secret field is localadminstrator@sp.com then the secret path expression will be as follows to add the required suffix:

    secrets://cyberark-cp/LDAP%20Safe/Operating%20System-LDAPServer1-PUWCPMAD3.CredentialP.lab-ServiceAccount/username?suffix=%40sp.com

Important
All input parameters must be encoded.