community.general.tss lookup – Get secrets from Thycotic Secret Server

Note

This lookup plugin is part of the community.general collection (version 10.0.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: community.general.tss.

New in community.general 1.0.0

Synopsis

  • Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with username and password on the REST API at base_url.

  • When using self-signed certificates the environment variable REQUESTS_CA_BUNDLE can be set to a file containing the trusted certificates (in .pem format).

  • For example, export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt'.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

Terms

Parameter

Comments

Terms

list / elements=integer / required

The integer ID of the secret.

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.general.tss', key1=value1, key2=value2, ...) and query('community.general.tss', key1=value1, key2=value2, ...)

Parameter

Comments

api_path_uri

string

The path to append to the base URL to form a valid REST API request.

Default: "/api/v1"

Configuration:

base_url

string / required

The base URL of the server, for example https://localhost/SecretServer.

Configuration:

  • INI entry:

    [tss_lookup]
    base_url = VALUE
    
  • Environment variable: TSS_BASE_URL

domain

string

added in community.general 3.6.0

The domain with which to request the OAuth2 Access Grant.

Optional when token is not provided.

Requires python-tss-sdk version 1.0.0 or greater.

Default: ""

Configuration:

  • INI entry:

    [tss_lookup]
    domain = ""
    
  • Environment variable: TSS_DOMAIN

fetch_attachments

boolean

added in community.general 7.0.0

Boolean flag which indicates whether attached files will get downloaded or not.

The download will only happen if file_download_path has been provided.

Choices:

  • false

  • true

fetch_secret_ids_from_folder

boolean

added in community.general 7.1.0

Boolean flag which indicates whether secret ids are in a folder is fetched by folder ID or not.

true then the terms will be considered as a folder IDs. Otherwise (default), they are considered as secret IDs.

Choices:

  • false

  • true

file_download_path

path

added in community.general 7.0.0

Indicate the file attachment download location.

password

string

The password associated with the supplied username.

Required when token is not provided.

Configuration:

  • INI entry:

    [tss_lookup]
    password = VALUE
    
  • Environment variable: TSS_PASSWORD

secret_path

string

added in community.general 7.2.0

Indicate a full path of secret including folder and secret name when the secret ID is set to 0.

token

string

added in community.general 3.7.0

Existing token for Thycotic authorizer.

If provided, username and password are not needed.

Requires python-tss-sdk version 1.0.0 or greater.

Configuration:

  • INI entry:

    [tss_lookup]
    token = VALUE
    
  • Environment variable: TSS_TOKEN

token_path_uri

string

The path to append to the base URL to form a valid OAuth2 Access Grant request.

Default: "/oauth2/token"

Configuration:

username

string

The username with which to request the OAuth2 Access Grant.

Configuration:

  • INI entry:

    [tss_lookup]
    username = VALUE
    
  • Environment variable: TSS_USERNAME

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: lookup('community.general.tss', term1, term2, key1=value1, key2=value2) and query('community.general.tss', term1, term2, key1=value1, key2=value2)

Examples

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password',
                domain='domain'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret_password: >-
        {{
            ((lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                token='thycotic_access_token',
            )  | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
        }}
  tasks:
      - ansible.builtin.debug:
          msg: the password is {{ secret_password }}

# Private key stores into certificate file which is attached with secret.
# If fetch_attachments=True then private key file will be download on specified path
# and file content will display in debug message.
- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                fetch_attachments=True,
                file_download_path='/home/certs',
                base_url='https://secretserver.domain.com/SecretServer/',
                token='thycotic_access_token'
            )
        }}
  tasks:
    - ansible.builtin.debug:
        msg: >
          the private key is {{
            (secret['items']
              | items2dict(key_name='slug',
                           value_name='itemValue'))['private-key']
          }}

# If fetch_secret_ids_from_folder=true then secret IDs are in a folder is fetched based on folder ID
- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                fetch_secret_ids_from_folder=true,
                base_url='https://secretserver.domain.com/SecretServer/',
                token='thycotic_access_token'
            )
        }}
  tasks:
    - ansible.builtin.debug:
        msg: >
          the secret id's are {{
              secret
          }}

# If secret ID is 0 and secret_path has value then secret is fetched by secret path
- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                0,
                secret_path='\folderName\secretName'
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

Return Value

Key

Description

Return value

list / elements=dictionary

The JSON responses to GET /secrets/{id}.

See https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation–secrets–id–get.

Returned: success

Authors

  • Adam Migus (@amigus)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.