community.general.tss – Get secrets from Thycotic Secret Server

Note

This plugin is part of the community.general collection (version 4.2.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.tss.

New in version 1.0.0: of community.general

Synopsis

  • Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with username and password on the REST API at base_url.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

Parameters

Parameter Choices/Defaults Configuration Comments
_terms
integer / required
The integer ID of the secret.
api_path_uri
string
Default:
"/api/v1"
env:TSS_API_PATH_URI
The path to append to the base URL to form a valid REST API request.
base_url
string / required
ini entries:

[tss_lookup]
base_url = None

env:TSS_BASE_URL
The base URL of the server, e.g. https://localhost/SecretServer.
domain
string
added in 3.6.0 of community.general
Default:
""
ini entries:

[tss_lookup]
domain =

env:TSS_DOMAIN
The domain with which to request the OAuth2 Access Grant.
Optional when token is not provided.
Requires python-tss-sdk version 1.0.0 or greater.
password
string
ini entries:

[tss_lookup]
password = None

env:TSS_PASSWORD
The password associated with the supplied username.
Required when token is not provided.
token
string
added in 3.7.0 of community.general
ini entries:

[tss_lookup]
token = None

env:TSS_TOKEN
Existing token for Thycotic authorizer.
If provided, username and password are not needed.
Requires python-tss-sdk version 1.0.0 or greater.
token_path_uri
string
Default:
"/oauth2/token"
env:TSS_TOKEN_PATH_URI
The path to append to the base URL to form a valid OAuth2 Access Grant request.
username
string
ini entries:

[tss_lookup]
username = None

env:TSS_USERNAME
The username with which to request the OAuth2 Access Grant.

Examples

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret: >-
        {{
            lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                username='user.name',
                password='password',
                domain='domain'
            )
        }}
  tasks:
      - ansible.builtin.debug:
          msg: >
            the password is {{
              (secret['items']
                | items2dict(key_name='slug',
                             value_name='itemValue'))['password']
            }}

- hosts: localhost
  vars:
      secret_password: >-
        {{
            ((lookup(
                'community.general.tss',
                102,
                base_url='https://secretserver.domain.com/SecretServer/',
                token='thycotic_access_token',
            )  | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
        }}
  tasks:
      - ansible.builtin.debug:
          msg: the password is {{ secret_password }}

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key Returned Description
_list
list / elements=dictionary
success
The JSON responses to GET /secrets/{id}.



Authors