TSS Lookup and AWX

Get Help
,
1

I’m following the docs:
community.general.tss lookup – Get secrets from Thycotic Secret Server — Ansible Community Documentation

and my code is:

---
# tasks file for tw.tss
- hosts: localhost
  connection: local
  gather_facts: no

  vars:
    key: !vault |
         $ANSIBLE_VAULT;1.1;AES256
         <vault value>
    uri: https://<secretserverurl/SecretServer
    role: rolename
    secretid: <thesecretID>   
   

    secret_password: >-
      {{
        lookup(
          'community.general.tss',
          secretid,
          base_url=uri,
          token=key
        ) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
      }}
  tasks:
    - ansible.builtin.debug:
        msg: the password is {{ secret_password }}

I have tried a few variations as the docs showed

secret_password: >-
      {{
        ((lookup(
          'community.general.tss',
          102,
          base_url='https://secretserver.domain.com/SecretServer/',
          token='thycotic_access_token',
        ) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
      }}

the trailing ‘,’ seems incorrect and the leeding ‘((’ that are not closed also seemed incorrect. Initially I had those in

the error I receive is

Vault password: 
ERROR! 'ansible.builtin.debug' is not a valid attribute for a Play
The error appears to be in '/runner/project/tss.yml': line 31, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- ansible.builtin.debug:
  ^ here

Additionally, I have tried the built in secret server integration but it failed, I believe ssl cert trust, but I cannot specify an EE to run it from to bypass.

2

I believe you may just need to add a name to your debug task. I took your secret_password definition and modified to use username and password on my system and it ran successfully.

---
- name: Retrieve Secrets from Delinea SS
  hosts: localhost
  gather_facts: false

  vars:
    ss_password: "{{ lookup('ansible.builtin.env', 'SS_PASS') }}"
    ss_username: "{{ lookup('ansible.builtin.env', 'SS_USER') }}"
    secret_id: <id>
    ss_url: 'https://<secretserverurl>/SecretServer'

    secret_password: >-
      {{
        ((lookup(
          'community.general.tss',
          secret_id,
          base_url=ss_url,
          username=ss_username,
          password=ss_password
        ) | from_json).get('items') | items2dict(key_name='slug', value_name='itemValue'))['password']
      }}

  tasks:
    - name: Debug secret_password
      ansible.builtin.debug:
        var: secret_password

ksnip_20250904-115107
ksnip_20250904-115107474×119 3.33 KB

3

sadly that was one of the first things I tried and it fails with the same error.

4

i forgot to turn on update revision on launch .. i have a new error but it’s a dependency so probably will work

5

The error says The error appears to be in '/runner/project/tss.yml': line 31, column 3,

But when I paste your original YAML file, there are 27 lines. So something is missing inbetween what you are testing and what you’ve pasted.

Ansible/YAML care about indentation, and the fact it’s barfing at your ansible.builtin.debug implies to me your indentation is off somewhere, but I can’t see where by what you’ve pasted, but as I’ve said, your paste only has 27 lines vs the error counting 31, so something is getting formatted somewhere.

6

The problem I see now is that we use

tss init -r {{ role }} -k {{ key }} -u {{ uri }}

cli then get the secret but the community plugin doesn’t seem to work with role and key?
I’ll probably end up using the cmd we use elsewhere