Ansible Integration

The DevOps Secrets Safe lookup plugin and modules import the secretssafe package and create an instance of the client that communicates with the DevOps Secrets Safe API.

Prerequisites

Before proceeding with this section, please ensure that you have access to the secretssafe Python package, installable from a BeyondTrust-provided WHL file. To run any DevOps Secrets Safe plugin or module, you must use a Python interpreter version 3.6 or greater.

Install the DevOps Secrets Safe Package

Install the secretssafe package to your Python environment using pip.

pip install secretssafe-<version_details>.whl

Configure Ansible to Discover the DevOps Secrets Safe Lookup Plugin and Modules

You can load any of the DevOps Secrets Safe Ansible integrations automatically.

For the DevOps Secrets Safe lookup plugin, do any of the following:

Store it in the ~/.ansible/plugins/lookup subdirectory.
Store it in the /usr/share/ansible/plugins/lookup subdirectory.
Place the path to the plugin in your ansible.cfg file.

For any of the DevOps Secrets Safe Ansible modules, do any of the following:

Store it in the ~/.ansible/plugins/modules subdirectory.
Store it in the /usr/share/ansible/plugins/modules subdirectory.
Place the path to the plugin in your ansible.cfg file.

To use the Ansible components in certain playbooks:

Store the lookup plugin in the lookup_plugins subdirectory, located in the directory that contains the playbook.
Store the modules in the library subdirectory, located in the directory that contains the playbook.

To use the environment to configure the plugin location for the DevOps Secrets Safe lookup plugin, run the following export command:

export ANSIBLE_LOOKUP_PLUGINS=<path/to/secretssafe/lookup/plugin/directory/>

To use the environment to configure the plugin location for the DevOps Secrets Safe modules, run the following export command:

export ANSIBLE_LIBRARY=<path/to/secretssafe/module/directory/>

Once properly configured, validate the discovery of the plugin:

ansible-doc -t lookup secretssafelookup
ansible-doc -t module secretssafe_dynamic_accout_create
ansible-doc -t module secretssafe_create

Execute the Plugin with Environment Variables

DevOps Secrets Safe Ansible components share some common options that can be set via environment variables. The following variables must be set either on the control machine (shell where Ansible is called), or within the playbook that uses the plugin:

SECRETSSAFE_HOST=<IP address or hostname of Secrets Safe instance>
SECRETSSAFE_PORT=<port of Secrets Safe instance>SECRETSSAFE_API_KEY=<pregenerated API key>
SECRETSSAFE_APP_NAME=<application name associated with API key>
SECRETSSAFE_VERIFY_CA=<true/false/path to CA certificate>

This allows you to invoke the plugin without the credential or configuration keyword arguments.

The DevOps Secrets Safe client verifies the SSL certificate presented by the DSS instance. The SECRETSSAFE_VERIFY_CA environment variable specifies the path to the CA certificate that the Secrets Safe certificate is checked against.

If no SECRETSSAFE_VERIFY_CA is specified, the default certificate bundles provided by the Python requests library are used.

Certificate verification can be disabled by setting SECRETSSAFE_VERIFY_CA=false. This is strongly discouraged for a production environment.

Common Options

All Secrets Safe Ansible components share some common options:

Component	Description	Settings
name	The name of the application used to create the secret.	Required: true
api_key	API key that corresponds to the application provided in the name option.	Required: true
host	DNS or IP address of the DSS instance this secret are saved to.	Required: true
verify_ca	SSL certificate verification flag; looks to publicly available CA if set to true.	Required: false Default: true Choices: true false path to CA certificate
port	DSS instance port.	Required: false Default: 443

DevOps Secrets Safe Lookup Plugin

This module supports retrieving secrets withDevOps Secrets Safe.

In addition to the common options listed above, the secretssafelookup plugin also has the following:

Component	Description	Settings
uri	The DSS URI where the secret is retrieved.	Required: true

Retrieve and display multiple secrets from DSS using string arguments.

- name: Retrieving and displaying a series of plaintext secrets from Secrets Safe using string arguments.
  hosts: controlnode
  vars:
    secretssafe:
      credentials:
        api_key: "{{ secretssafe_api_key }}"
        app_name: "{{ secretssafe_app_name }}"
      configuration:
        host: "{{ secretssafe_host }}"
        port: "{{ secretssafe_port }}"
        verify_ca: "{{ secretssafe_verify_ca }}"
    uris:
      uri1: some/uri:1
      uri2: some/uri:2

  tasks:
    - name: Call Secrets Safe using jinja2 with_<lookup_plugin_name> syntax
      debug:
        msg: "{{ item }}"
      with_secretssafelookup:
        - 'uri={{ uris.uri1 }} | credentials={{ secretssafe.credentials }} | configuration={{ secretssafe.configuration }}'
        - 'uri={{ uris.uri2 }} | credentials={{ secretssafe.credentials }} | configuration={{ secretssafe.configuration }}'

Retrieve and display multiple secrets from DSS, reading the configuration from the environment.

- name: Retrieving and displaying a series of plaintext secrets from Secrets Safe, reading the configuration/credentials from the environment.
  hosts: controlnode
  vars:
    uris:
      - some/uri:1
      - some/uri:2

  tasks:
    - name: Call Secrets Safe using jinja2 with_<lookup_plugin_name> syntax and pre-exported environment variables
      debug:
        msg: "{{ item }}"
      with_secretssafelookup: "{{ uris }}"

Retrieve and display a single secret from DSS, reading the configuration from defined variables as keyword arguments.

- name: Retrieve and display a single secret from DSS, reading the configuration from defined variables as keyword arguments.
  hosts: controlnode
  vars:
    secretssafe:
      credentials:
        api_key: "{{ secretssafe_api_key }}"
        app_name: "{{ secretssafe_app_name }}"
      configuration:
        host: "{{ secretssafe_host }}"
        port: "{{ secretssafe_port }}"
        verify_ca: "{{ secretssafe_verify_ca }}"
    uri: some/uri:1

  tasks:
      - set_fact:
          decrypted_secret: "{{ lookup('secretssafelookup', uri, credentials=secretssafe.credentials, configuration=secretssafe.configuration) }}"
      - debug:
          msg: "{{ decrypted_secret }}"

Retrieve and display multiple secrets from DSS, reading the configuration from defined variables as keyword arguments.

- name: Retrieve and display multiple secrets from DSS, reading the configuration from defined variables as keyword arguments.
  hosts: controlnode
  vars:
    secretssafe:
      credentials:
        api_key: "{{ secretssafe_api_key }}"
        app_name: "{{ secretssafe_app_name }}"
      configuration:
        host: "{{ secretssafe_host }}"
        port: "{{ secretssafe_port }}"
        verify_ca: "{{ secretssafe_verify_ca }}"
    uris:
      - some/uri:1
      - some/uri:2

  tasks:
    - name: Call Secrets Safe lookup in a with_items loop
      debug:
        msg: "{{ lookup('secretssafelookup', item, credentials=secretssafe.credentials, configuration=secretssafe.configuration) }}"
      with_items: "{{ uris }}"

- name: Retrieve and display multiple secrets from DSS, reading the configuration from defined variables as keyword arguments.
  hosts: controlnode
  vars:
    secretssafe:
      credentials:
        api_key: "{{ secretssafe_api_key }}"
        app_name: "{{ secretssafe_app_name }}"
      configuration:
        host: "{{ secretssafe_host }}"
        port: "{{ secretssafe_port }}"
        verify_ca: "{{ secretssafe_verify_ca }}"
    uris:
      - some/uri:1
      - some/uri:2

  tasks:
    - name: Call Secrets Safe lookup in a with_items loop
      debug:
        msg: "{{ lookup('secretssafelookup', item, credentials=secretssafe.credentials, configuration=secretssafe.configuration) }}"
      with_items: "{{ uris }}"

Create Secret Module

This module supports creating secrets with DevOps Secrets Safe. Secrets can be read from a file on disk or an Ansible fact. Secret creation by providing a generator name is also supported. You must provide credentials for a DevOps Secrets Safe application.

In addition to the common options listed above, the create secret module also has the following options:

Component	Description	Settings
secret_uri	The DSS URI where the secret is saved.	Required: true
generator	Name of generator used to create secret value. Mutually exclusive with secret_file_path and secret_value options.	Required: true
secret_file_path	Path to file that is saved as a secret. Mutually exclusive with generator and secret_value options.	Required: false
secret_value	Value, in the form of a string, that is saved as a secret path to file that is saved as a secret. Mutually exclusive with generator and secret_file_path options.	Required: false

Create Secret From File.

- name: Create Secret From File
  hosts: managed_1
  tasks:
    - name: Create With File Path
    secretssafe_create:
      api_key: <api_key>
      name: myapp
      host: <secretssafe_host>
      port: 443
      verify_ca: false
      secret_uri: this/is:secret2500
      secret_file_path: /home/lockboxadmin/examples.desktop

Create Secret From Fact.

- name: Create Secret From Fact
  hosts: managed_1
  tasks:
    - name: Set Fact Value
    set_fact:
        test_value: This is my secret
    - name: Create From Fact
      secretssafe_create:
        api_key: <api_key>
        name: myapp
        host: <secretssafe_host>
        port: 443
        verify_ca: false
        secret_value: "{{ test_value }}"
        secret_uri: this/is:secret3

- name: Create Secret From Fact
  hosts: managed_1
  tasks:
    - name: Set Fact Value
    set_fact:
        test_value: This is my secret
    - name: Create From Fact
      secretssafe_create:
        api_key: <api_key>
        name: myapp
        host: <secretssafe_host>
        port: 443
        verify_ca: false
        secret_value: "{{ test_value }}"
        secret_uri: this/is:secret3

Create Secret From Generator

- name: Create Secrets Using Generator
  hosts: managed_1
  tasks:
    - name: Create With Generator
    secretssafe_create:
      api_key: <api_key%gt;
      name: myapp
      host: <secretssafe_host>
      port: 443
      verify_ca: true
      generator: my-number-generator
      secret_uri: this/is:secret111

DevOps Secrets Safe secretssafe_dynamic_accout_create Module

This module supports creating dynamic accounts with DevOps Secrets Safe.

In addition to the common options listed above, the secretssafe_dynamic_accout_create module also has the following options:

Component	Description	Options
provider	Provider used to create the dynamic account.	Required: true
account_definition	Account definition used to create the dynamic account.	Required: true
input_file	Input file with data for dynamic account creation. Mutually exclusive with the input_json option.	Required: false
input_json	JSON file that contains data for dynamic account creation. Mutually exclusive with the input_file option.	Required: false

Create Dynamic Account and Copy Output to File

- name: Create Dynamic Account and Copy Output to File
    hosts: managed_host_1
    tasks:
    - name: create dynamic account
      secretssafe_dynamic_account_create:
        api_key: 04ab4f29-21c7-4348-98d7
        name: myapp
        host: mydss.myorg.com
        port: 443
        verify_ca: 'false'
        provider: my_gcp_provider
        account_definition: my_gcp_definition
        input_file: path/to/myfile.json
      register: create_output
    - name: copy account info to file
      copy:
        dest: ~/dss_dynamic_account.json
        content: '{{ create_output.msg }}'