Skip to main content
The CyberArk CCP (Central Credential Provider) secret provider connects the Orchestrator to CyberArk Vault via the CCP REST API. CCP provides agentless credential retrieval, allowing the Orchestrator to fetch privileged credentials without requiring a local agent installation.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the CyberArk CCP provider, the Orchestrator authenticates to the CCP web service and retrieves credentials from the CyberArk Vault. CCP is the agentless component of CyberArk’s Privileged Access Security solution — it exposes a REST API that applications call to retrieve credentials without needing the CyberArk Application Identity Manager agent installed locally.

Use Cases

  • Agentless credential retrieval — fetch credentials from CyberArk Vault without installing a local agent on the Orchestrator host
  • Enterprise PAM integration — connect the Orchestrator to an existing CyberArk deployment for centralized privileged credential management
  • Separation of duties — CyberArk administrators manage credential policies and rotations; Orchestrator operators consume credentials via CCP

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Configuration via Environment Variable

export MAVERICS_SECRET_PROVIDER="cyberarkccp://ccp.example.com"

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "cyberarkccp://ccp.example.com"

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax: 
connectors:
  - name: my-idp
    oauthClientSecret: <maverics.client_secret>

Configuration Reference

URL Structure

cyberarkccp://{ccp-server-address}

URL Parameters

ParameterRequiredDescription
Server addressYesHostname of the CyberArk CCP web service (e.g., ccp.example.com)
The CCP web service must be configured in CyberArk to allow the Orchestrator host to retrieve credentials. Ensure the appropriate Application ID and Safe permissions are configured in the CyberArk PVWA (Password Vault Web Access).

Troubleshooting

“Unauthorized” or authentication errors Verify that the CyberArk Application ID is configured to allow access from the Orchestrator host’s IP address or certificate. Check the CyberArk PVWA audit log for denied requests. “Connection refused” when starting the Orchestrator Confirm the CCP server address is correct and that the Orchestrator host has network access to the CCP REST API endpoint (typically port 443). Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the account names in the CyberArk Vault. The namespace and key in <namespace.key> must correspond to the Safe and account object stored in CyberArk.

Secret Providers

Overview of all secret providers

CyberArk Conjur

DevOps-oriented secrets for CI/CD and containers