1. That is another approach that works just as well! 2. The Central Credential Provider Lookup utilizes that retrieval method from CyberArk to fetch the secret and the Conjur Secrets Manager Lookup uses that particular service instead. They are add-on solutions to CyberArk's PAM platform.

If you check out this video, it explains how to configure that portion. After setting the "Central Credential Provider Secret Lookup" credential type to specify the connection details to CyberArk... you'll then need to create your actual Credential in Ansible... however, you don't set the values, you choose the Secret Lookup previously created instead and provide the query there. Here's a link to the point in the video that it is explained: kzbin.info/www/bejne/nmWkaISFoK9joNksi=TJTd2b7uHm5wTbW_&t=1182 After that is done, you can either apply the credential to the Job Template to be used like normal for machine connections automatically or reference the Credential's environment variables in the playbook being run in the Job Template.

1. The Machine credential is a "dummy" credential. The username is `ec2-user` since that is the username that my playbook will be running as on the remote nodes. The password is just `dummy` -- it's not real, the purpose is so that `ansible_user` is set to `ec2-user` in the play. 2. It is not required to build a custom EE like mine. If you'd like to use mine, it is available at hhub.docker.com/r/nfmsjoeg/cyberark-ee. The Default Execution Environment will work, but you'll need to install the cyberark.pas collection as part of the first task that runs. 3. This guide works for Ansible Tower 3.5.1 & above and all versions of AAP.

I rewatched and I understand the confusion now. In the video, I setup the Central Credential Provider lookup but then in my Job Template, I'm using Extra Vars to provide the same. I will create a follow-up video that closes the loop there. Either method works, but I need to complete the explanation around the CCP Lookup, my apologies for missing that. The dummy credential is used to provide the ansible_user variable, but that can be done within the playbook to in order to eliminate the need for the credential all together on the Job Template. There are many ways someone can approach this to achieve the same end result.

@@infamousjoeg Thank you Joe. Much appreciated!

@@infamousjoeg What I missed the most is any information how can I access the values provided in the CCP Lookup directly in playbook, also I failed to find any AAP documentation on that. :( Therefore so far I have gone with a custom credential type where the injectors are in my control, but it may be completely unnecessary if I can access the values from ENV or as extra_vars from the CCP Lookup.

@@BestHKisDLM The Central Credential Provider lookup works as a “service broker” of sorts. The environment variables you can use in extra_vars or in the playbook are based on the Credential Type you choose to reference the Central Credential Provider lookup within. For example, I’ll setup Central Credential Provider Lookup credential to point to ccp.example.com and use App ID “Ansible” - then I have to separately create a “Machine” credential type and where it asks for “Username” and “Password”, I click the “Key icon” next to the fields and it will let me choose that Central Credential Provider lookup to pull from. After that, it’s giving the safe and account name of the account I want from CyberArk.

@@infamousjoeg Thank you for additional explanation. I do get that its a broker and I have to use it to create another credential with external source referencing its details, like pw or so. But imagine this at scale, I mean hundreds or thousands of machines, or any other credentials for that matter. Creating extra set of credentials in AAP is what Id like to avoid. Not even programatically creating AAP resources, its unnecessary at this scale. I can deal with it inside ansible playbook. In AAP I'll rather store only ONE credential, a custom credential type that passes me the url, app id, cert and key (in env or extra_vars that I expect/control) and then deal with it using pre-tasks block with delegate: localhost and save it to a file as credential module expects a path, rather than have to create dozens or hundreds of credentials in AAP. Hope you see what I mean. :)