community.general.tss – Get secrets from Thycotic Secret Server

Note

This plugin is part of the community.general collection (version 3.7.0).

To install it use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.tss.

New in version 1.0.0: of community.general

Synopsis

  • Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with username and password on the REST API at base_url.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

Parameters

Parameter Choices/Defaults Configuration Comments
_terms
integer / required
The integer ID of the secret.
api_path_uri
string
Default:
"/api/v1"
env:TSS_API_PATH_URI
The path to append to the base URL to form a valid REST API request.
base_url
string / required
ini entries:

[tss_lookup]
base_url = None

env:TSS_BASE_URL
The base URL of the server, e.g. https://localhost/SecretServer.
domain
string
added in 3.6.0 of community.general
Default:
""
ini entries:

[tss_lookup]
domain =

env:TSS_DOMAIN
The domain with which to request the OAuth2 Access Grant.
Optional when token is not provided.
Requires python-tss-sdk version 1.0.0 or greater.
password
string
ini entries:

[tss_lookup]
password = None

env:TSS_PASSWORD
The password associated with the supplied username.
Required when token is not provided.
token
string
added in 3.7.0 of community.general
ini entries:

[tss_lookup]
token = None

env:TSS_TOKEN
Existing token for Thycotic authorizer.
If provided, username and password are not needed.
Requires python-tss-sdk version 1.0.0 or greater.
token_path_uri
string
Default:
"/oauth2/token"
env:TSS_TOKEN_PATH_URI
The path to append to the base URL to form a valid OAuth2 Access Grant request.
username
string
ini entries:

[tss_lookup]
username = None

env:TSS_USERNAME
The username with which to request the OAuth2 Access Grant.

Examples

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password',
                domain='domain'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret_password: >-
        {{
            ((lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                token='thycotic_access_token',
            )  | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
        }}
  tasks:
      - ansible.builtin.debug:
          msg: the password is {{ secret_password }}

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key Returned Description
_list
list / elements=dictionary
success
The JSON responses to GET /secrets/{id}.



Authors