community.general.tss lookup – Get secrets from Thycotic Secret Server
Note
This lookup plugin is part of the community.general collection (version 9.4.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: community.general.tss.
New in community.general 1.0.0
Synopsis
Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with
usernameandpasswordon the REST API atbase_url.When using self-signed certificates the environment variable
REQUESTS_CA_BUNDLEcan be set to a file containing the trusted certificates (in.pemformat).For example,
export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt'.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
python-tss-sdk - https://pypi.org/project/python-tss-sdk/
Terms
Parameter |
Comments |
|---|---|
The integer ID of the secret. |
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following
examples: lookup('community.general.tss', key1=value1, key2=value2, ...) and query('community.general.tss', key1=value1, key2=value2, ...)
Parameter |
Comments |
|---|---|
The path to append to the base URL to form a valid REST API request. Default: Configuration:
|
|
The base URL of the server, for example Configuration:
|
|
The domain with which to request the OAuth2 Access Grant. Optional when Requires Default: Configuration:
|
|
Boolean flag which indicates whether attached files will get downloaded or not. The download will only happen if Choices:
|
|
Boolean flag which indicates whether secret ids are in a folder is fetched by folder ID or not.
Choices:
|
|
Indicate the file attachment download location. |
|
The password associated with the supplied username. Required when Configuration:
|
|
Indicate a full path of secret including folder and secret name when the secret ID is set to 0. |
|
The path to append to the base URL to form a valid OAuth2 Access Grant request. Default: Configuration:
|
|
The username with which to request the OAuth2 Access Grant. Configuration:
|
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
lookup('community.general.tss', term1, term2, key1=value1, key2=value2)andquery('community.general.tss', term1, term2, key1=value1, key2=value2)
Examples
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password',
domain='domain'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret_password: >-
{{
((lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token',
) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
}}
tasks:
- ansible.builtin.debug:
msg: the password is {{ secret_password }}
# Private key stores into certificate file which is attached with secret.
# If fetch_attachments=True then private key file will be download on specified path
# and file content will display in debug message.
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
fetch_attachments=True,
file_download_path='/home/certs',
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the private key is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['private-key']
}}
# If fetch_secret_ids_from_folder=true then secret IDs are in a folder is fetched based on folder ID
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
fetch_secret_ids_from_folder=true,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the secret id's are {{
secret
}}
# If secret ID is 0 and secret_path has value then secret is fetched by secret path
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
0,
secret_path='\folderName\secretName'
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
Return Value
Key |
Description |
|---|---|
The JSON responses to See https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation–secrets–id–get. Returned: success |