Try SpotterGet secrets from Thycotic Secret Server
| "added in version" 1.0.0 of community.general"
Authors: Adam Migus (@amigus) <adam@migus.org>
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with O(username) and O(password) on the REST API at O(base_url).
When using self-signed certificates the environment variable E(REQUESTS_CA_BUNDLE) can be set to a file containing the trusted certificates (in C(.pem) format).
For example, C(export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt').
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password',
domain='domain'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret_password: >-
{{
((lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token',
) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
}}
tasks:
- ansible.builtin.debug:
msg: the password is {{ secret_password }}
# Private key stores into certificate file which is attached with secret.
# If fetch_attachments=True then private key file will be download on specified path
# and file content will display in debug message.
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
fetch_attachments=True,
file_download_path='/home/certs',
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the private key is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['private-key']
}}
# If fetch_secret_ids_from_folder=true then secret IDs are in a folder is fetched based on folder ID
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
fetch_secret_ids_from_folder=true,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the secret id's are {{
secret
}}
# If secret ID is 0 and secret_path has value then secret is fetched by secret path
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
0,
secret_path='\folderName\secretName'
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
token:
description:
- Existing token for Thycotic authorizer.
- If provided, O(username) and O(password) are not needed.
- Requires C(python-tss-sdk) version 1.0.0 or greater.
env:
- name: TSS_TOKEN
ini:
- key: token
section: tss_lookup
version_added: 3.7.0
version_added_collection: community.general
_terms:
description: The integer ID of the secret.
required: true
type: int
domain:
default: ''
description:
- The domain with which to request the OAuth2 Access Grant.
- Optional when O(token) is not provided.
- Requires C(python-tss-sdk) version 1.0.0 or greater.
env:
- name: TSS_DOMAIN
ini:
- key: domain
section: tss_lookup
required: false
version_added: 3.6.0
version_added_collection: community.general
base_url:
description: The base URL of the server, for example V(https://localhost/SecretServer).
env:
- name: TSS_BASE_URL
ini:
- key: base_url
section: tss_lookup
required: true
password:
description:
- The password associated with the supplied username.
- Required when O(token) is not provided.
env:
- name: TSS_PASSWORD
ini:
- key: password
section: tss_lookup
username:
description: The username with which to request the OAuth2 Access Grant.
env:
- name: TSS_USERNAME
ini:
- key: username
section: tss_lookup
secret_path:
description: Indicate a full path of secret including folder and secret name when
the secret ID is set to 0.
required: false
type: str
version_added: 7.2.0
version_added_collection: community.general
api_path_uri:
default: /api/v1
description: The path to append to the base URL to form a valid REST API request.
env:
- name: TSS_API_PATH_URI
required: false
token_path_uri:
default: /oauth2/token
description: The path to append to the base URL to form a valid OAuth2 Access Grant
request.
env:
- name: TSS_TOKEN_PATH_URI
required: false
fetch_attachments:
description:
- Boolean flag which indicates whether attached files will get downloaded or not.
- The download will only happen if O(file_download_path) has been provided.
required: false
type: bool
version_added: 7.0.0
version_added_collection: community.general
file_download_path:
description: Indicate the file attachment download location.
required: false
type: path
version_added: 7.0.0
version_added_collection: community.general
fetch_secret_ids_from_folder:
description:
- Boolean flag which indicates whether secret ids are in a folder is fetched by folder
ID or not.
- V(true) then the terms will be considered as a folder IDs. Otherwise (default),
they are considered as secret IDs.
required: false
type: bool
version_added: 7.1.0
version_added_collection: community.general
_list:
description:
- The JSON responses to C(GET /secrets/{id}).
- See U(https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation--secrets--id--get).
elements: dict
type: list