top of page
  • Writer's pictureBrad Linch

Veeam Password Rotation via CyberArk

This will be one of the shorter posts but it is a sweet one! Password rotation with Veeam is something that is starting to come up more often. Rather than point folks to Veeam's PS and API guide, I thought it would be nicer to point folks to an actual script. Below is a script used recently for a customer to rotate their VBR admin password daily through CyberArk,.

This script will get the Veeam admin password from CyberArk and then set the VBR credentials. Certainly doing this daily might be overkill, but you get the point. Could have this run every 90 or 180 days. Whatever meets your security standards.

add-type @”
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# CyberArk API Endpoint and Credentials
$CyberArkURL = "enter CyberArk URL"
#$CyberArkUsername = "YourCyberArkUsername"
#$CyberArkPassword = "YourCyberArkPassword"

# List of Veeam Server Information
$VeeamServers = @("VBR1_ip", "VBR2_ip")
$VeeamCredentialName = "service_account"

try {
    # Authenticate with CyberArk (if necessary)
    # $CyberArkCredential = New-Object System.Management.Automation.PSCredential ($CyberArkUsername, ($CyberArkPassword | ConvertTo-SecureString -AsPlainText -Force))
    # Make a GET request to CyberArk to retrieve the password
    $CertStorePath = "Cert:\LocalMachine\My"
    $Certificate   = Get-ChildItem -Path $certStorePath | Where-Object {$_.Thumbprint -eq "thumbprint"}
    $result = Invoke-RestMethod -Method "Get" -Uri $CyberArkURL -Certificate $Certificate
    if ($result -ne $null) {
        # Extract the password from the response
        $VBRpass = $result.Content

        # Loop through the list of Veeam servers
        foreach ($VeeamServer in $VeeamServers) {
            # Connect to Veeam Backup Server
            Connect-VBRServer -Server $VeeamServer

            # Set the retrieved password for the Veeam credential
            Get-VBRCredentials -Name $VeeamCredentialName | Set-VBRCredentials -Password $VBRpass

            # Disconnect from the Veeam Backup Server when done
            Disconnect-VBRServer -Confirm:$false
    else {
        Write-Host "CyberArk did not return a valid password."
catch {
    Write-Host "An error occurred: $_"

243 views0 comments

Recent Posts

See All


bottom of page