Where to begin

[Lobout]

So, I wanted to take a look at this and see if it provides enough functionality to read a password from secret server, so that I could then update the password on my servers. I can't even get this to do the basic lookup. I have tried keeping everything exactly like your readme states and it can't find the "secretserver" module, so I then tried to add your secrectserver.py file directly into the ansible modules directory and it sill can't seem to find it to process anything. am i missing something simple?

[Lobout]

guess this is a dead project... too bad appeared to have potential.

[smeeus]

Hi @Lobout ,

Sorry I have missed your initial question. No, the project is not dead, but until a number of things are being discussed and decided at the place I'm going to implement this, I halted pushing updates. I created this as a customer specific project, but wanted to share it as well.

Now, to answer your questions. I assume you're not using the RPM to install the plugin.

You will have to make sure you have an account in Secretserver that has (read-only) access to the items you want to look up. The account has to be Secretserver internal, so not an LDAP/Active Directory account. This seems to be a Secretserver API limitation.

To let the plugin know what these account details are, you will have to set 3 environment variables for the user you are running ansible as:

• SECRETSERVER_HOST
• SECRETSERVER_USERNAME
• SECRETSERVER_PASSWORD

The easiest is to place this in your ~/.bashrc or ~/.bash_profile file:

SECRETSERVER_HOST="your.secretserver.fqdn or IP address"
SECRETSERVER_USERNAME="secretserverusername"
SECRETSERVER_PASSWORD="verysecurepasswordstring"

export SECRETSERVER_HOST
export SECRETSERVER_USERNAME
export SECRETSERVER_PASSWORD

To install the secretserver.py plugin for use with the example playbook, create the subdirectories library/lookup in your playbook directory and place secretserver.py there.

You will also have to tell ansible where to find the lookup plugin, you do this by creating/editing your ansible.cfg file and make sure the following options are set:

[defaults]

# Custom plugins
lookup_plugins = library/lookup

More details and other options you may want for your ansible.cfg are documented in the Ansible Configuration Settings documentation.

For example, I have the following structure:

/home/smeeus/ansible/secretserver_test_playbook
 |- ansible.cfg
 |- example-playbook.yml
 |- example-inventory.ini
 `- library
     `- lookup
         `- secretserver.py

The contents of example-inventory.ini is:

[local]
localhost ansible_connection=local

And I do my testing with this command, from the playbook directory:

ansible-playbook -i example-inventory.ini example-playbook.yml

I hope this helps you out for now.

And keep an eye on the project in the coming weeks. I have updates ready to extend/replace the current <lookup_item>.<type> method for example.

[dglinder]

@smeeus - What's the latest on the "keep an eye on the project" from a while back?

And I think your writeup in the previous comment block should be moved into the README.md file.

[smeeus]

@dglinder There is little progress... Apart from creating the development branch with a small set of feature improvements, I have not had much time to actually work on the overall Ansible project for the customer this was meant for, and it is not being used yet either.

The previous block of where to start does in fact have to be taken in the README.md, and the development branch has a very small part of it already. it still needs a lot of extra information though.

Do check out the development branch if you re interested, there's a little test playbook in there that showcases new ways of querying for the secrets you require. But there also, much more documentation required.

And if you have questions, comments or suggestions, I'd like to hear them.

[dglinder]

Thanks @smeeus - if/when we get Thycotic I will look into your development branch.