search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
295 stars 91 forks source link

Unable to get Get-PASAccountPassword "Version" parameter to return a previous password #373

Closed charltonstanley closed 3 years ago

charltonstanley commented 3 years ago

Describe the issue In short, Unable to get password versions/history on an account. I don't know how to get the list of password version numbers that are available which I could then query for. Outside of this needing to be a positive integer, I was unable to find the answer in the documentation for this module, as well as in the cyberark docs.

To Reproduce Steps to reproduce the behavior:

  1. Run Get-PASAccount -AccountID xx_xxx | Get-PASAccountPassword -Version 1

Expected behavior A password that was previously set on the account should be returned

Screenshots & Console Output


Get-PASAccount -AccountID xx_xxx | Get-PASAccountPassword -Version 1
Invoke-PASRestMethod : [404] Content of account was not found.
At line:214 char:13
+         $result = Invoke-PASRestMethod @Request
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If I specify version 0 then I get the currently set password, however any other number I specify returns the same error. What should I be specifying for the Version parameter in order for this to work?

Your Environment Include relevant details about your environment

Additional context Any help would be greatly appreciated! Thanks šŸ˜„

edit: updated the psPAS version and tried again. same issue.

charltonstanley commented 3 years ago

Sorry, I accidentally closed this...reopening it.

pspete commented 3 years ago

Hi @charltonstanley - this is nothing to do with which version of psPAS you are using. Your query is not finding a password version with ID 1 because it does not exist (hence the 404 status you get). Your safe is configured to only retain a certain number of passwords, or to only retain passwords for a certain number of days - the version with ID 1 likely ceased to exist once that retention period lapsed.

If you were using PAS 12.1 - you can just use the Get-PASAccountPasswordVersion command to list the current version IDs which exist for the account.

As you are on an earlier version, one way to get the ID is with the PACLI FILEVERSIONSLIST command, believe the InternalName property relates to the version history ID to use.

charltonstanley commented 3 years ago

Hi @pspete thanks for the reply! I guess I'll have to bug the admins to update PAS for me to the latest version so I can use that new cmdlet. šŸ˜„

I'll go ahead and close this. Thanks again!