CyberArk Privilege Cloud MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@CyberArk Privilege Cloud MCP ServerList all accounts in the Production safe"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
CyberArk Privilege Cloud MCP Server
An MCP server for CyberArk Privilege Cloud, built on the official ark-sdk-python library. Provides 53 tools for privileged access management.
Supports two authentication modes:
OAuth per-user mode (recommended) -- each user authenticates with their own CyberArk Identity credentials via OAuth. Requires Streamable HTTP transport and an OIDC app in CyberArk Identity (setup guide).
Legacy service account mode -- a single shared service account authenticates all requests via stdio transport. Simpler setup, shown in Quick Start below.
Quick Start
This sets up the legacy service account mode via stdio. For OAuth per-user mode, see OAuth Per-User Mode.
1. Install uv (if not already installed):
curl -LsSf https://astral.sh/uv/install.sh | sh2. Configure Claude Desktop - Add to your configuration file:
OS | Configuration File Location |
macOS |
|
Windows |
|
Linux |
|
{
"mcpServers": {
"cyberark-privilege-cloud": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/aaearon/mcp-privilege-cloud.git",
"mcp-privilege-cloud"
],
"env": {
"CYBERARK_CLIENT_ID": "your-service-user-username",
"CYBERARK_CLIENT_SECRET": "your-service-user-password"
}
}
}
}3. Restart Claude Desktop - The MCP server will appear in the tools menu (hammer icon) when connected.
Claude Code
claude mcp add cyberark-privilege-cloud \
-e CYBERARK_CLIENT_ID=your-service-user-username \
-e CYBERARK_CLIENT_SECRET=your-service-user-password \
-- uvx --from git+https://github.com/aaearon/mcp-privilege-cloud.git mcp-privilege-cloudExample Prompts
Once configured, you can ask Claude things like:
"List all accounts in the Production safe"
"Show me Windows accounts that are failing management"
"Create a new safe called 'DevOps-Credentials' with 30-day retention"
"Add the DevOps team as safe members with retrieve permissions"
"List all active platforms and their account counts"
"Show me active privileged sessions"
Prerequisites
CyberArk Identity Service User with:
Appropriate Identity roles for the desired operations (e.g., Privilege Cloud Administrator for platform management)
Safe permissions granting access to the safes and accounts you want to manage
For OAuth per-user mode: an OIDC app in CyberArk Identity (see setup guide)
Configuration
OAuth Per-User Mode
Each connecting user authenticates with their own CyberArk Identity credentials via OAuth. The server verifies user identity from the OIDC JWT, then uses a shared service account platform token for all PCloud API calls.
Requires Streamable HTTP transport -- see Docker Deployment or set MCP_TRANSPORT=streamable-http when running locally.
Variable | Required | Description |
| Yes | CyberArk Identity tenant URL (e.g., |
| Yes | Service account login name (for PCloud platform token) |
| Yes | Service account password |
| Yes | OIDC app client ID from Trust tab (for DCR and JWT audience) |
| Yes | OIDC app client secret from Trust tab (injected server-side in /token proxy) |
| No | Transport protocol (default: |
| No | Server bind host (default: |
| No | Server bind port (default: |
| No | Public URL for OAuth metadata (default: |
See CyberArk Identity Setup for full configuration instructions.
Legacy Service Account Mode
Variable | Required | Description |
| Yes | Your Service User username |
| Yes | Your Service User password |
Docker Deployment
The included Dockerfile and docker-compose.yml run the server in Streamable HTTP mode, suitable for OAuth per-user authentication and remote MCP clients.
# Create .env with your credentials (see .env.example)
docker compose up -d --buildWhen deploying behind a reverse proxy, configure it to strip trailing slashes from request paths. MCP clients may POST to /mcp/ (trailing slash), causing a 307 redirect that strips the Authorization header. Set MCP_SERVER_URL to the public URL of your server.
Available Tools (53 Total)
Account Management (18 tools):
Core Operations:
list_accounts,get_account_details,search_accounts,create_account,update_account,delete_accountPassword Management:
change_account_password,set_next_password,verify_account_password,reconcile_account_passwordAdvanced Search:
filter_accounts_by_platform_group,filter_accounts_by_environment,filter_accounts_by_management_status,group_accounts_by_safe,group_accounts_by_platform,analyze_account_distribution,search_accounts_by_pattern,count_accounts_by_criteria
Safe Management (10 tools):
Core Operations:
list_safes,get_safe_details,add_safe,update_safe,delete_safeMember Management:
list_safe_members,get_safe_member_details,add_safe_member,update_safe_member,remove_safe_member
Platform Management (10 tools):
Core Operations:
list_platforms,get_platform_details,import_platform_package,export_platformLifecycle Management:
duplicate_target_platform,activate_target_platform,deactivate_target_platform,delete_target_platformStatistics:
get_platform_statistics,get_target_platform_statistics
Applications Management (9 tools):
Core Operations:
list_applications,get_application_details,add_application,delete_applicationAuth Methods:
list_application_auth_methods,get_application_auth_method_details,add_application_auth_method,delete_application_auth_methodStatistics:
get_applications_stats
Session Monitoring (6 tools):
Session Management:
list_sessions,list_sessions_by_filter,get_session_details,count_sessionsActivity Tracking:
list_session_activities,get_session_statistics
Troubleshooting
Issue | Solution |
MCP not appearing in Claude | Restart Claude Desktop after saving configuration |
Authentication failed | Verify Service User credentials in CyberArk Identity |
Permission errors | Ensure the Service User has appropriate Identity roles and safe permissions |
Connection issues | Verify you're using the |
OAuth 401 behind reverse proxy | Ensure the proxy strips trailing slashes (see Docker Deployment) |
| Install uv: |
Verify MCP server manually:
uvx --from git+https://github.com/aaearon/mcp-privilege-cloud.git mcp-privilege-cloudDevelopment
git clone https://github.com/aaearon/mcp-privilege-cloud.git
cd mcp-privilege-cloud
uv sync
uv run pytest # Run all tests
uv run pytest --cov=mcp_privilege_cloud # Run with coverage
uv run mcp-privilege-cloud # Run the server locallyDocumentation
API Reference - Complete tool specifications and parameters
Architecture - System design and components
CyberArk Identity Setup - OAuth app configuration guide
Development Guide - Contributing and development workflows
Testing Guide - Detailed testing instructions
Security
Never commit credentials to version control
Use secure environment variable management
Grant minimal required permissions to Service Users
In OAuth mode, DCR returns public clients only -- secrets are injected server-side
Official SDK provides automatic token management and secure protocols
License
MIT License - see LICENSE file for details.
Support
For issues and feature requests, please use GitHub Issues.
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/aaearon/mcp-privilege-cloud'
If you have feedback or need assistance with the MCP directory API, please join our Discord server