mcp-privilege-cloud

This MCP server provides automated access to CyberArk Privilege Cloud through a suite of 53 tools for privileged access management. It supports two authentication modes: an OAuth per-user mode where each user authenticates with their CyberArk Identity credentials via OAuth (recommended for fine-grained access control), and a legacy service account mode that uses a single shared service account. The server can be run in a local environment or deployed behind a reverse proxy and can be consumed by MCP clients via the standard transport (stdio for local runs or streamable-http for OAuth scenarios).

To use the server, configure Claude Desktop (or your MCP client) to point at the server via UVX as shown in the Quick Start instructions. In OAuth mode, you will need an OIDC app from CyberArk Identity and appropriate transport settings (default transport is stdio; switch to streamable-http for OAuth). The available tools are categorized into Account Management, Safe Management, Platform Management, Applications Management, and Session Monitoring, covering operations from listing accounts and safes to managing platforms, applications, and sessions. You can perform common tasks like listing accounts, creating safes, managing platform lifecycles, and retrieving session data using the corresponding tool names such as list_accounts, create_account, add_safe, import_platform, and list_sessions, among others. The server exposes these operations via a consistent API compatible with MCP clients.

Once configured, you can issue prompts to Claude (or your MCP client) to perform tasks like listing all accounts in a safe, creating a new safe with a defined retention, or listing active privileged sessions. The tooling set is designed to support both day-to-day management and auditing needs, with search and filter capabilities across accounts, safes, platforms, applications, and sessions.

Prerequisites:

• Python environment ready (the server runs via the uvx (uv tooling) and the underlying package expects Python and dependencies to be installed).
• uv (Astral UV) installed to manage and run MCP servers.
• Access to the GitHub repository https://github.com/aaearon/mcp-privilege-cloud for the server code.

Step-by-step installation:

1. Install uv if you don’t have it:

curl -LsSf https://astral.sh/uv/install.sh | sh

2. Install and run the MCP server using uvx with the repository URL:

uvx --from git+https://github.com/aaearon/mcp-privilege-cloud.git mcp-privilege-cloud

3. If you plan to run OAuth per-user mode, prepare and set the necessary environment variables (e.g., CYBERARK_IDENTITY_TENANT_URL, CYBERARK_CLIENT_ID, CYBERARK_CLIENT_SECRET, CYBERARK_OAUTH_CLIENT_ID, CYBERARK_OAUTH_CLIENT_SECRET) and choose the transport (MCP_TRANSPORT=streamable-http) as appropriate. When deploying behind a reverse proxy, ensure the proxy strips trailing slashes to avoid 307 redirects affecting Authorization headers.
4. To run via Docker (optional): build and deploy with Docker as described in the documentation, ensuring environment variables are provided to the container for authentication.

Notes:

• If you encounter uvx not found, install uv using the command in step 1.
• For OAuth mode, ensure MCP_TRANSPORT is set to streamable-http if using per-user authentication.

Tips and common issues:

• OAuth per-user mode requires an OIDC app in CyberArk Identity and an appropriate transport (streamable-http). Ensure MCP_TRANSPORT is set accordingly.
• When deploying behind a reverse proxy, remove trailing slashes from request paths or configure the proxy to rewrite them to avoid 307 redirects that strip the Authorization header.
• The server exposes 53 tools across five categories; consult the Available Tools section to find the exact tool names for your task (e.g., list_accounts, add_safe_member, import_platform).
• For local testing, you can run the server with the legacy service account mode by providing CYBERARK_CLIENT_ID and CYBERARK_CLIENT_SECRET in the environment and using stdio transport.
• If you need to verify the MCP server manually, you can run: uvx --from git+https://github.com/aaearon/mcp-privilege-cloud.git mcp-privilege-cloud