community.general.tss lookup – Get secrets from Thycotic Secret Server
Note
This lookup plugin is part of the community.general collection (version 4.8.3).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.tss.
New in version 1.0.0: of community.general
Synopsis
Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with username and password on the REST API at base_url.
When using self-signed certificates the environment variable
REQUESTS_CA_BUNDLEcan be set to a file containing the trusted certificates (in.pemformat).For example,
export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt'.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
python-tss-sdk - https://pypi.org/project/python-tss-sdk/
Parameters
Parameter |
Comments |
|---|---|
The integer ID of the secret. |
|
The path to append to the base URL to form a valid REST API request. Default: “/api/v1” Configuration:
|
|
The base URL of the server, e.g. Configuration:
|
|
The domain with which to request the OAuth2 Access Grant. Optional when token is not provided. Requires Default: “” Configuration:
|
|
The password associated with the supplied username. Required when token is not provided. Configuration:
|
|
Existing token for Thycotic authorizer. If provided, username and password are not needed. Requires Configuration:
|
|
The path to append to the base URL to form a valid OAuth2 Access Grant request. Default: “/oauth2/token” Configuration:
|
|
The username with which to request the OAuth2 Access Grant. Configuration:
|
Examples
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password',
domain='domain'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret_password: >-
{{
((lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token',
) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
}}
tasks:
- ansible.builtin.debug:
msg: the password is {{ secret_password }}
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key |
Description |
|---|---|
The JSON responses to See https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation–secrets–id–get. Returned: success |
Authors
Adam Migus (@amigus)
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.
Collection links
Issue Tracker Repository (Sources) Submit a bug report Request a feature Communication