Create a CyberArk credential

This feature allows users to create a Power Automate credential that retrieves CCP CyberArk secrets from vault during runtime.

Availability

Currently, this feature isn't available for US Government Clouds.

Prerequisites

Set up your CyberArk Central Credential Provider (CCP)

If your CyberArk Central Credential Provider (CCP) isn't set up, complete the following actions:

  1. Install the Central Credential Provider (CCP). Learn more at https://docs.cyberark.com/credential-providers/latest/en/Content/CCP/CCP-Installation.htm.
  2. Ensure that your machines can communicate with the CyberArk server.
  3. Allow https connections to contact the CCP AIMWebService.

Create an application with client certification authentication from PVWA

A signed certificate enables the application authentication with a certificate serial number.

To add a signed certificate:

  1. Sign-in to CyberArk’s Password Vault Web Access (PVWA).

  2. From the left navigation, select the Applications tab and then select Add Application.

    Screenshot of CyberArk application.

  3. Provide the information in the Application window (at least a name) and select Add.

  4. In the details of the application, select Add on the Authentication tab.

  5. Select Certificate serial number and enter the value. Learn more in Application authentication methods.

Set up a CyberArk safe that contains their user accounts

(Optional) If you don’t have a safe yet, you can create a Safe from PVWA:

  1. From the left navigation, select Policies and then select Safes.

  2. Select Create Safe.

  3. Enter a safe name and select PasswordManager.

  4. Enter Safe members and Access then select Create Safe.

    From PVWA, you can then add your machine accounts.

    Note

    You can also create accounts from PrivateArk client.

  5. From the left navigation, select Accounts > Add Account.

  6. Select Windows as system type.

  7. Select the safe you created to store your robotic process automation (RPA) machine accounts.

  8. Provide information about your account and select Add.

    Screenshot of adding an account in CyberArk.

Define application and credential provider as safe member

  1. Add the Credential Provider user as a Safe Member with the following authorizations:

    • List accounts
    • Retrieve accounts
    • View Safe Members

    Screenshot of manage permissions in CyberArk

  2. Add the application as a Safe Member with the following authorizations:

    • Retrieve accounts

Add a CyberArk application to machine / group

Important

It isn't currently possible for users to associate a CyberArk application with machines or groups that are shared with other users.

If you want to run a desktop flow on a machine or a group using CyberArk credentials, you need to add your CyberArk application information in the Power Automate portal.

  1. Sign-in to Power Automate.

  2. From the left navigation, select Machines, and then select the machine or the group.

  3. In the Machine details, select Configure CyberArk.

    Screenshot of the connection using credentials.

  4. Select New application.

  5. Enter the app ID of the application you created from CyberArk PVWA.

  6. Select the certificate, which stores the private and the public key of the certificate.

    • The allowed formats are .pfx or .p12 files.
    • The private key should be marked as exportable.
  7. Enter the certificate file password that is used to open the certificate file.

    Note

    The password is not stored. The certificate is opened and encrypted with the public key of the machine group so it is only readable from the registered machines.

  8. Enter a description (optional) and then select Save.

    Screenshot of configure CyberArk on machine group

Create a CyberArk credential

Now that you complete all the prerequisites steps, you can create your CyberArk credentials.

  1. From the left navigation, select Credentials.

  2. Select New credential.

  3. In the wizard, define a credential name and a brief description, then select Next.

  4. When creating a credential in Power Automate, specify where this credential is used. You can use a credential for two types of usage:

    • Connection: These are the credentials of the user session on which the desktop flow runs.

    • Desktop flows (preview): These are credentials that you want to use in a desktop flow. For example, SAP credential, SharePoint credential, Excel password, etc.

      Note

      For public preview, credentials used in desktop flow actions require CyberArk.

  5. Select CyberArk CCP as the type of credential store.

  6. If you already defined a CyberArk store, you can select it from the dropdown. Otherwise, select Create new.

    • Display name: Provide a name for your CyberArk store.

    • Server address: The server address is the Central Credential Provider URL. For example, https://svc.skytap.com:8992.

      Note

      Versions below the August release don't support a server address ending with a "/".

    • Application Id: To find the Application ID, open CyberArk PVWA (Password Vault Web Access) on a web browser and navigate to the Applications tab.

    • Safe: Populate the name of the safe displayed in CyberArk PVWA.

    • Folder (optional): Populate the folder name where your credentials are stored. By default, credentials are stored in the "Root" folder.

    Screenshot of create new credential store.

  7. In the last step of the wizard, you need to provide the information about the user account:

    • Username: Select a username from your text environment variables or create a new one by selecting new.

      If you create a CyberArk credential to be used in a desktop flow connection, provide your device account. Populate the name of the user (for example, <MACHINENAME\User> or <local\User>) or a Microsoft Entra ID account, such as <DOMAIN\User> or <username@domain.com>.

    • Object name: The object name corresponds to the CyberArk object name store in the CyberArk safe. This value is also called account name in PVWA.

Use the credential in a desktop flow connection

Your credential is now created. You can use it in a desktop flow connection to run desktop flows from cloud flows.

Use the credential in a desktop flow action (preview)

  1. Ensure you have a registered machine where your desktop flow is executed. The credential is retrieved from this machine.

    Important

    The registered machine is required for credentials to work properly at runtime, even for local attended or debugging runs.

  2. In the desktop flow designer, select the Power Automate secret variables (preview) module and then select the Get credential (preview) action.

    Note

    This action isn't available in sovereign clouds yet.

  3. Specify which credential to retrieve. You only see the credentials defined as usable in a desktop flow. In public preview, only credentials using CyberArk as a vault are supported.

  4. Define the name of your produced variable. This variable is marked as "sensitive" and can't be modified. This means the value of this variable isn't stored in the logs.

    Note

    Credential type variables are always enforced to be sensitive, independently of how they are produced (Get credential (preview) action or reassigning a credential variable to a new one, which inherits the same variable type). The same applies to the 'Password' property of credential variables.

  5. After clicking save, use your credential in another action. All Power Automate actions can use credentials.

  6. In the action field, select the blue button for variables. In your flow variables list, find your credential and expand it. You can see the attributes "username" and "password". Select the one you want to use in this action (double-click).

  7. Execute the flow.