Note
This lookup plugin is part of the community.general collection (version 10.7.3).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this lookup plugin, see Requirements for details.
To use it in a playbook, specify: community.general.tss.
New in community.general 1.0.0
username and password on the REST API at base_url.REQUESTS_CA_BUNDLE can be set to a file containing the trusted certificates (in .pem format).export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt'.The below requirements are needed on the local controller node that executes this lookup.
Parameter | Comments |
|---|---|
Terms list / elements=integer / required | The integer ID of the secret. |
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.general.tss', key1=value1, key2=value2, ...) and query('community.general.tss', key1=value1, key2=value2, ...)
Parameter | Comments |
|---|---|
api_path_uri string | The path to append to the base URL to form a valid REST API request. Default: Configuration:
|
base_url string / required | The base URL of the server, for example Configuration:
|
domain string added in community.general 3.6.0 | The domain with which to request the OAuth2 Access Grant. Optional when Requires Default: Configuration:
|
fetch_attachments boolean added in community.general 7.0.0 | Boolean flag which indicates whether attached files will get downloaded or not. The download will only happen if Choices:
|
fetch_secret_ids_from_folder boolean added in community.general 7.1.0 | Boolean flag which indicates whether secret IDs are in a folder is fetched by folder ID or not.
Choices:
|
file_download_path path added in community.general 7.0.0 | Indicate the file attachment download location. |
password string | The password associated with the supplied username. Required when Configuration:
|
secret_path string added in community.general 7.2.0 | Indicate a full path of secret including folder and secret name when the secret ID is set to 0. |
token string added in community.general 3.7.0 | |
token_path_uri string | The path to append to the base URL to form a valid OAuth2 Access Grant request. Default: Configuration:
|
username string | The username with which to request the OAuth2 Access Grant. Configuration:
|
Note
Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).
Note
lookup('community.general.tss', term1, term2, key1=value1, key2=value2) and query('community.general.tss', term1, term2, key1=value1, key2=value2)
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password',
domain='domain'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
- hosts: localhost
vars:
secret_password: >-
{{
((lookup(
'community.general.tss',
102,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token',
) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
}}
tasks:
- ansible.builtin.debug:
msg: the password is {{ secret_password }}
# Private key stores into certificate file which is attached with secret.
# If fetch_attachments=True then private key file will be download on specified path
# and file content will display in debug message.
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
fetch_attachments=True,
file_download_path='/home/certs',
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the private key is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['private-key']
}}
# If fetch_secret_ids_from_folder=true then secret IDs are in a folder is fetched based on folder ID
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
102,
fetch_secret_ids_from_folder=true,
base_url='https://secretserver.domain.com/SecretServer/',
token='thycotic_access_token'
)
}}
tasks:
- ansible.builtin.debug:
msg: >
the secret id's are {{
secret
}}
# If secret ID is 0 and secret_path has value then secret is fetched by secret path
- hosts: localhost
vars:
secret: >-
{{
lookup(
'community.general.tss',
0,
secret_path='\folderName\secretName'
base_url='https://secretserver.domain.com/SecretServer/',
username='user.name',
password='password'
)
}}
tasks:
- ansible.builtin.debug:
msg: >-
the password is {{
(secret['items']
| items2dict(key_name='slug',
value_name='itemValue'))['password']
}}
Key | Description |
|---|---|
Return value list / elements=dictionary | The JSON responses to See https://updates.thycotic.net/secretserver/restapiguide/TokenAuth/#operation–secrets–id–get. Returned: success |
© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/tss_lookup.html