community / community.general / 8.5.0 / lookup / tss Get secrets from Thycotic Secret Server | "added in version" 1.0.0 of community.general" Authors: Adam Migus (@amigus) <adam@migus.org>community.general.tss (8.5.0) — lookup
Install with ansible-galaxy collection install community.general:==8.5.0
collections: - name: community.general version: 8.5.0
Uses the Thycotic Secret Server Python SDK to get Secrets from Secret Server using token authentication with O(username) and O(password) on the REST API at O(base_url).
When using self-signed certificates the environment variable E(REQUESTS_CA_BUNDLE) can be set to a file containing the trusted certificates (in C(.pem) format).
For example, C(export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt').
- hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, base_url='https://secretserver.domain.com/SecretServer/', username='user.name', password='password' ) }} tasks: - ansible.builtin.debug: msg: > the password is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['password'] }}
- hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, base_url='https://secretserver.domain.com/SecretServer/', username='user.name', password='password', domain='domain' ) }} tasks: - ansible.builtin.debug: msg: > the password is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['password'] }}
- hosts: localhost vars: secret_password: >- {{ ((lookup( 'community.general.tss', 102, base_url='https://secretserver.domain.com/SecretServer/', token='thycotic_access_token', ) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password'] }} tasks: - ansible.builtin.debug: msg: the password is {{ secret_password }}
# Private key stores into certificate file which is attached with secret. # If fetch_attachments=True then private key file will be download on specified path # and file content will display in debug message. - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, fetch_attachments=True, file_download_path='/home/certs', base_url='https://secretserver.domain.com/SecretServer/', token='thycotic_access_token' ) }} tasks: - ansible.builtin.debug: msg: > the private key is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['private-key'] }}
# If fetch_secret_ids_from_folder=true then secret IDs are in a folder is fetched based on folder ID - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 102, fetch_secret_ids_from_folder=true, base_url='https://secretserver.domain.com/SecretServer/', token='thycotic_access_token' ) }} tasks: - ansible.builtin.debug: msg: > the secret id's are {{ secret }}
# If secret ID is 0 and secret_path has value then secret is fetched by secret path - hosts: localhost vars: secret: >- {{ lookup( 'community.general.tss', 0, secret_path='\folderName\secretName' base_url='https://secretserver.domain.com/SecretServer/', username='user.name', password='password' ) }} tasks: - ansible.builtin.debug: msg: > the password is {{ (secret['items'] | items2dict(key_name='slug', value_name='itemValue'))['password'] }}
token: description: - Existing token for Thycotic authorizer. - If provided, O(username) and O(password) are not needed. - Requires C(python-tss-sdk) version 1.0.0 or greater. env: - name: TSS_TOKEN ini: - key: token section: tss_lookup version_added: 3.7.0 version_added_collection: community.general _terms: description: The integer ID of the secret. required: true type: int domain: default: '' description: - The domain with which to request the OAuth2 Access Grant. - Optional when O(token) is not provided. - Requires C(python-tss-sdk) version 1.0.0 or greater. env: - name: TSS_DOMAIN ini: - key: domain section: tss_lookup required: false version_added: 3.6.0 version_added_collection: community.general base_url: description: The base URL of the server, for example V(https://localhost/SecretServer). env: - name: TSS_BASE_URL ini: - key: base_url section: tss_lookup required: true password: description: - The password associated with the supplied username. - Required when O(token) is not provided. env: - name: TSS_PASSWORD ini: - key: password section: tss_lookup username: description: The username with which to request the OAuth2 Access Grant. env: - name: TSS_USERNAME ini: - key: username section: tss_lookup secret_path: description: Indicate a full path of secret including folder and secret name when the secret ID is set to 0. required: false type: str version_added: 7.2.0 version_added_collection: community.general api_path_uri: default: /api/v1 description: The path to append to the base URL to form a valid REST API request. env: - name: TSS_API_PATH_URI required: false token_path_uri: default: /oauth2/token description: The path to append to the base URL to form a valid OAuth2 Access Grant request. env: - name: TSS_TOKEN_PATH_URI required: false fetch_attachments: description: - Boolean flag which indicates whether attached files will get downloaded or not. - The download will only happen if O(file_download_path) has been provided. required: false type: bool version_added: 7.0.0 version_added_collection: community.general file_download_path: description: Indicate the file attachment download location. required: false type: path version_added: 7.0.0 version_added_collection: community.general fetch_secret_ids_from_folder: description: - Boolean flag which indicates whether secret ids are in a folder is fetched by folder ID or not. - V(true) then the terms will be considered as a folder IDs. Otherwise (default), they are considered as secret IDs. required: false type: bool version_added: 7.1.0 version_added_collection: community.general
_list: description: - The JSON responses to C(GET /secrets/{id}). - See U(https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation--secrets--id--get). elements: dict type: list