Vaultamagic

How it works

Vaultamagic is a script generator, not a service. You give it a few values; it hands you a PowerShell script. Everything that touches CyberArk happens on your machine, with your credentials.

1

Fill in your values

Enter your PVWA base URL, choose CyberArk, LDAP, or RADIUS auth, tick which data to export, and (optionally) opt in to secret retrieval with a reason. Pick where the CSVs should land.

2

Copy the script

The page assembles a PowerShell script live as you type. Copy it to the clipboard or download Vaultamagic-Inventory.ps1. It's plain, readable PowerShell — review it first if you like.

3

Run it locally

Run the script in PowerShell. It prompts for your credentials, connects to your PVWA, enumerates everything you selected, and writes one CSV per category to your output folder.

What you get

One CSV per category, written to the folder you choose.

safes.csv

Every Safe you're authorized to see, with description, managing CPM, and retention.

safe-permissions.csv

One row per Safe member with the full permission matrix as columns — users, groups, and applications.

applications.csv

AAM applications, their authentication/retrieval methods, and the Safes each one can access.

accounts.csv

Accounts per Safe with their fields. Opt in to add a Secret column (audited, plaintext — handle with care).

Requirements

  • PowerShell 5.1 or 7+Windows PowerShell ships with Windows; PowerShell 7 also works. The script handles TLS for both.
  • CyberArk, LDAP, or RADIUS authSAML/SSO isn't covered here — see the FAQ for why and what to do.
  • PAM Self-Hosted or Privilege CloudBoth expose the same REST API — just set your PVWA base URL accordingly.
  • Your own permissionsThe script does exactly what your account is authorized to do — nothing more.

See it for yourself

Open the generator and watch the script build as you fill in the form.

Open the generator →