# CyberArk PAM

{% hint style="info" %}
This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the [StrongDM Help Center](https://help.strongdm.com/hc/en-us).
{% endhint %}

### Overview

CyberArk Privileged Access Manager (PAM) accounts facilitate access to privileged accounts on your resources. Pieces of information that are not considered secret (such as user names, where applicable) are stored with CyberArk as basic account properties. Secret information, such as passwords or private keys, are stored in CyberArk PAM Safes. This guide walks you through the steps to integrate CyberArk PAM as a secret store with StrongDM.

Secret Store integrations allow you to use your existing third-party secret stores with StrongDM. Your credentials are saved in a tool you control. Those credentials are never transmitted to StrongDM in any form. To learn more about Secret Store integrations and their usage, read the [Secret Stores Reference](https://docs.strongdm.com/admin/access/secret-stores).

### Prerequisites

The following items are required to successfully integrate CyberArk PAM with StrongDM:

* You must be an account administrator in StrongDM.
* You should have a healthy gateway or relay to allow authentication with the secret store.
* You have existing resources that you currently manage access to via CyberArk PAM.
* When adding a resource to StrongDM that uses CyberArk PAM for secrets management, you need to have the CyberArk account ID of the resource.

### Configure CyberArk PAM

First, any gateway(s) and relay(s) that you intend to use to access resources with via CyberArk PAM must be configured to authenticate with CyberArk. Due to the manner in which CyberArk identifies users and manages seats, each of those gateways and relays must be set up in CyberArk as a user with its own credentials. Once this is done, those gateways and relays are capable of authenticating to CyberArk in order to fetch the required credentials to connect a user to a protected resource.

On the gateway or relay, set the environment variables `PAM_USERNAME` and `PAM_PASSWORD` with the user's corresponding credentials as the value. You can also set `PAM_TLS_SKIP_VERIFY=true` to skip certificate verification if the CyberArk instance doesn't have a valid certificate.

#### Set up the Secret Store in StrongDM

Next, set up CyberArk integration as a secret store in StrongDM.

1. In the Admin UI, go to **Settings** > **Secrets Management** and to the **Secret Stores** tab.
2. Click **Add secret store**.
3. Give the secret store a name that is recognizable within your organization, such as "CyberArk PAM."
4. Choose **CyberArk PAM** as the secret store type.
5. For the **Application URL**, enter the fully qualified domain name or IP address of the Password Vault Web Access (PVWA) server. This should be the full URL including `https://`, and should have no path beyond the URL (such as `/foo/bar`).
   1. Example: `https://111.222.333.444`
   2. Example: `https://exampleserver.example.com`

### Connect to a StrongDM Resource

Now that you have configured your gateways or relays to authenticate to CyberArk and you have set up the secret store within StrongDM, you should be able to use CyberArk PAM when adding resources to StrongDM. The following steps provide an example of how to connect to a database resource using CyberArk PAM.

1. From the Admin UI, go to **Infrastructure > Datasources**.
2. Click **Add Resource**.
3. Enter the properties for your database resource. For more information about the configuration properties for specific resource types, look at the [resource guides](https://docs.strongdm.com/admin/resources).
4. From the **Secret Store** dropdown menu, select the **CyberArk PAM** option.
5. In the **Username (path)** field, add the path to retrieve the username, in the format `<ACCOUNT_ID>?key=username`. Use the CyberArk account ID of your resource, followed by `?key=username`.
6. In the **Password (path)** field, add the path to retrieve the password, in the format `<ACCOUNT_ID>?key=password`. Use the CyberArk account ID of your resource, followed by `?key=password`.
7. When all required fields are complete, click **Create**.

{% hint style="info" %}
The CyberArk account ID to use in credential paths is in the format `24_1`. It can be found directly in the web UI for the vault by going to the **Accounts** tab, finding the account you need, and looking at the details page. You can also get it via the API `GET /PasswordVault/api/Accounts` endpoint or from the account Inventory Report.
{% endhint %}

When the resource is ready, the **Health** icon indicates a positive, green status.

At this point, any StrongDM user in your organization who has been granted access to this resource should be able to access it.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/access/secret-stores/cyberark-pam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.