Ansible Lookup Plugin - Secret Only?

Secrets Management
,
1

I’m trying to use the Cypher Ansible lookup plugin to retrieve a secret from a custom Cypher plugin and am running into trouble. Below is my error.

Broken through Ansible:

        automation_username: "{{ lookup('cypher', 'secret=thycoticss/MyFolder/MySecret/username') }}"

FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'cypher'. Error was a <class 'ansible.errors.AnsibleError'>, original message: cypher lookup plugin needs key=value pairs, but received ['secret=thycoticss/MyFolder/MyAccount/username']"
}

If I run cypher.read through bash command, it seems to work OK, just not when it’s inside an Ansible playbook.

Working through bash script:

from_vault="<%= cypher.read('thycoticss/MyFolder/MySecret/username') %>"
echo $from_vault
2

Hiya!

This tripped me up a bit, too, initially. What I found for nested JSON values worked:

“{{ lookup(‘cypher’, ‘secret=secret/morpheus_service_accounts:windows’) }}”

The “secret=secret/…” is crucial. It MUST start like this.

3

Hey Brad,

thycoticss is actually the prefix for my custom Cypher plugin. I’ve been able to use the secret and password prefixes with no problem.

Example of password prefix to generate a random password.

{{ lookup('cypher', 'secret=password/32/sql-msa-temp') }}
4

Ah, gotcha.

Reading the Ansible page for Cypher (Ansible — Morpheus Docs documentation), it almost reads like you need to use a colon before the final key name if it’s nested down in JSON.

You don’t show your data structure, so I’m guessin’ a little blind.

5

So I just modified my plugin to use the secret=thycoticss/MyFolder/MySecret:username format. It doesn’t seem like that helped. Wondering if this is a limitation in the Ansible Cypher plugin, but I can’t seem to find source code for it to take a look.

fatal: [svtsqlwspcc01.westfieldgrp.corp]: FAILED! => {
"msg": "An unhandled exception occurred while running the lookup plugin 'cypher'. Error was a <class 'ansible.errors.AnsibleError'>, original message: cypher lookup plugin needs key=value pairs, but received ['secret=thycoticss/MyFolder/MySecret:username']"