Cannot delete ssh keys

[kanabasse]

Summary

SSH key cannot be delete using cyberark.pas.cyberark_account module, task fails.

Steps to Reproduce

Use cyberark_account module to delete an ssh key from the Vault:

- name: "Delete SSH key"
  cyberark.pas.cyberark_account:
    identified_by: "address,username,platform_id"
    username: "{{ user }}"
    address: "{{ address }}"
    safe: "{{ safe_name }}"
    platform_id: "{{ platform_id }}"
    secret_type: "key"
    state: absent
    cyberark_session: "{{ cyberark_session }}"

Expected Results

• Account is deleted from Cyberark Vault
• Task succeed in ansible, http response code 200 from pvwa

Actual Results

• Account is not deleted from Cyberark Vault
• Task fails in ansible, http response code 400, body contains:

{
 "ErrorCode": "PASWS056E",
 "ErrorMessage": "The account is not valid for delete"
}

Reproducible

• [X] Always
• [ ] Sometimes
• [ ] Non-Reproducible

Version/Tag number

cyberark.pas collection version 1.0.13

Environment setup

• Privilege Access Manager v12.2
• Ansible Tower

Additional Information

According to this answer on Cyberark Technical Community, v10 pvwa api isn't able to delete ssh keys.

Deletion works using v9 api and uri module. Here is my workaround:

- name: "Get ssh key id"
  cyberark.pas.cyberark_account:
    identified_by: "address,username,platform_id"
    username: "{{ user }}"
    address: "{{ address }}"
    safe: "{{ safe_name }}"
    platform_id: "{{ platform_id }}"
    secret_type: "key"
    state: present
    cyberark_session: "{{ cyberark_session }}"
  register: getaction

- name: "Delete ssh key"
  uri:
    url: "https://{{ pvwa_url }}/PasswordVault/WebServices/PIMServices.svc/Accounts/{{ getaction.result.result.id }}"
    method: DELETE
    validate_certs: yes
    return_content: yes
    headers:
      Authorization: "{{ cyberark_session.token }}"
    status_code: 200

[pnlrogue1]

Also experiencing this issue. CyberArk Privileged Access Security Version 12.6.7 (12.6.7.83).

When using the PowerShell module to delete the same certificates, I am able to do so by adding the -UseClassicAPI option as the modern API doesn't seem able to handle SSH key entries. Looking at the Ansible module documentation and the underlying Python code, I don't see any option to use the classic API meaning the Ansible code currently doesn't support deleting this credential type at all, unless I'm mistaken?

[compostCY]

Please note this is a documented limitation on the PVWA Rest API itself:

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Delete%20Account.htm?tocpath=Developer%7CREST%20APIs%7CAccounts%7C_____8

The public doc explicitly says: "Note The Delete account REST API does not support SSH Keys"

The current workaround is by using 1st gen API as you noted.

Also , please review the following enhancement request(ER) on the subject, please vote/promote and follow on the ER so PVWA Product Management will prioritize this properly: https://cyberark.my.site.com/s/article/Delete-account-REST-API-does-not-support-SSH-Keys-cbbf-c9f