community.general.tss lookup – Get secrets from Thycotic Secret Server

Note

This lookup plugin is part of the community.general collection (version 5.0.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.tss.

New in version 1.0.0: of community.general

Synopsis

  • Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with username and password on the REST API at base_url.

  • When using self-signed certificates the environment variable REQUESTS_CA_BUNDLE can be set to a file containing the trusted certificates (in .pem format).

  • For example, export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt'.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

Parameters

Parameter

Comments

_terms

integer / required

The integer ID of the secret.

api_path_uri

string

The path to append to the base URL to form a valid REST API request.

Default: “/api/v1”

Configuration:

  • Environment variable: TSS_API_PATH_URI

base_url

string / required

The base URL of the server, e.g. https://localhost/SecretServer.

Configuration:

  • INI entry:

    [tss_lookup]
    base_url = None
    
  • Environment variable: TSS_BASE_URL

domain

string

added in 3.6.0 of community.general

The domain with which to request the OAuth2 Access Grant.

Optional when token is not provided.

Requires python-tss-sdk version 1.0.0 or greater.

Default: “”

Configuration:

  • INI entry:

    [tss_lookup]
    domain =
    
  • Environment variable: TSS_DOMAIN

password

string

The password associated with the supplied username.

Required when token is not provided.

Configuration:

  • INI entry:

    [tss_lookup]
    password = None
    
  • Environment variable: TSS_PASSWORD

token

string

added in 3.7.0 of community.general

Existing token for Thycotic authorizer.

If provided, username and password are not needed.

Requires python-tss-sdk version 1.0.0 or greater.

Configuration:

  • INI entry:

    [tss_lookup]
    token = None
    
  • Environment variable: TSS_TOKEN

token_path_uri

string

The path to append to the base URL to form a valid OAuth2 Access Grant request.

Default: “/oauth2/token”

Configuration:

  • Environment variable: TSS_TOKEN_PATH_URI

username

string

The username with which to request the OAuth2 Access Grant.

Configuration:

  • INI entry:

    [tss_lookup]
    username = None
    
  • Environment variable: TSS_USERNAME

Examples

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password',
                domain='domain'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret_password: >-
        {{
            ((lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                token='thycotic_access_token',
            )  | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
        }}
  tasks:
      - ansible.builtin.debug:
          msg: the password is {{ secret_password }}

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key

Description

_list

list / elements=dictionary

The JSON responses to GET /secrets/{id}.

See https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation–secrets–id–get.

Returned: success

Authors

  • Adam Migus (@amigus)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.