Interests in an Ansible Lookup Plugin for Thycotic Secret Server Professional

Archives Ansible Developer
1

Hi,

we’re using ansible for quite some time now as well as Thycotic Secret Server (TSS). Recently, we thought it would be a good idea to be able to use TSS as a global password storage for any ansible related stuff, too. While e.g. the password lookup plugin is great we wanted to have one place that stores not only passwords but additional metadata. Thus we developed a small lookup plugin that operates on TSS Professional Rest API.

Why am I telling you this? Simply put, it would be nice to contribute a little bit to ansible since it is such a handy tool. But as we are not quite a company that embraces open source style code sharing too much I just wanted to know if there is any interest of people to have such a plugin ship with ansible. If so I would first try to solve the potential copyright issues on our side and would then submit a feature proposal to https://github.com/ansible/proposals.

Just to show you what I’m actually talking about see these examples:

`

  • name: show default field
    debug: msg=“{{ lookup(‘tss_lookup’, ‘/path/to/the/secret’ }}”

  • name: show default field and provide specific template
    debug: msg=“{{ lookup(‘tss_lookup’, ‘/path/to/the/secret;template=theTemplate’ }}”

  • name: show specific field
    debug: msg=“{{ lookup(‘tss_lookup’, ‘/path/to/the/secret;field=user name’ }}”

  • name: show specific field and provide specific template
    debug: msg=“{{ lookup(‘tss_lookup’, ‘/path/to/the/secret;field=user name,template=theTemplate’ }}”

  • name: show specific field and provide specific template and parameters
    debug: msg=“{{ lookup(‘tss_lookup’, ‘/path/to/the/secret;template=theTemplate,field=user pass,user name=theUser’ }}”
    `

Thanks for reading, cheers

Martin

2

I’m not familiar with that specific password management system, but I would recommend trying to keep the ansible interface compatible with other password-management systems. Like for example: https://docs.ansible.com/ansible/2.5/plugins/lookup/passwordstore.html

Looks mostly the same, but the fields are space-seperated, not semicolon seperated.

Getting it into ansible took a bit of effort when I wanted to upstream passwordstore, but worked out fine in the end.

3

Well, I agree. The point is that I didn’t want to implemented escape logic, didn’t find any common rules for implementing, too. TSS allows spaces in field names.

4

I have a customer that is looking for the integration of Thycotic Secret Server specifically within Ansible. This would be of great value if this were to be a ‘supported module’ within Ansible.

This post has some dust on it from last year, is there any other traction you have found to support this effort?

5

Hi, to be honest my efforts in convincing management to participate by sharing code/knowledge have not beared fruit yet. They just want to sell, if at all. However, management will change by the end of the year, maybe I’ll be successful then. For the time being I can tell you that such a plugin is relatively easy to implement and works great. If you need help feel free to contact me :slight_smile: