Configuring Secret Server

To configure Secret Server for the integration with Ansible, complete the following tasks: 

  • Step 1: Create an application account in Secret Server.

  • Step 2: Create a secret in Secret Server.

  • Step 3: Generate an access token to properly authenticate with Secret Server.

  • (Optional) Step 4: Enable required entry of a comment before a secret can be retrieved to Ansible. The integration will automatically use a user-provided comment when retrieving a secret.

The following sections describe how to perform these steps.

Step 1: Creating an Application Account in Secret Server

The Delinea Ansible collection requires an application account to authenticate with Secret Server. If you don't have an application account in Secret Server, you can create one. For more information about creating an application account, see Managing Local Accounts in the Secret Server documentation.

The application account's role in Secret Server must have the View Launcher Password on Secrets and View Secret permissions. The following procedure describes how to create a role with these permissions and how to assign the role to the application account.

To create a role with the required permissions and assign it to the application account:

  1. In Secret Server, navigate to Access > Roles.

  2. Select Create role.

  3. In the Create role dialog, provide a name and an optional description for the new role, and select Save.

  4. Go to the Permissions tab for the role.

  5. Select Edit and in the Scope dropdown list, select All.

  6. Search for the View Launcher Password on Secrets permission by using the search box at the top.

  7. Select the checkbox next to the permission name and select Save.

  8. Repeat steps 6–7 to add the View Secret permission to the role.

    The Permissions tab shows the permissions added to the role.

  9. Assign the role to the application account in Secret Server:

    1. Navigate to Access > Users.

    2. On the User management page, search for and select the application account.

    3. On the user page, go to the Roles tab and select Edit.

    4. In the window that appears below, search for and select the role that you created and select the checkbox next to the role name.

    5. Select Save.

Step 2: Creating a Secret in Secret Server

You must create a secret in Secret Server to store the credentials that you want to retrieve for use within Ansible playbooks and automation tasks. You must also share the secret with the Secret Server application account that you use for this integration to enable the Delinea Ansible collection to retrieve the secret from Secret Server. The following procedure describes how to create a secret and then share the secret with the application account.

To create a secret and share it with the application account:

  1. In Secret Server, navigate to Secrets > All secrets.

  2. In the Create new secret dialog, do the following:

    1. (Optional) change the default folder for the secret.

      Make sure that the application account has the View permission for the folder. For information about folder permissions, see Folders in the Secret Server documentation.

    2. Under Choose a secret template, select the template from which to create a secret.

      You can use any template that fits your needs.

    3. Enter a name for the secret and the username and the password to store in the secret.

    4. Provide values for the other secret fields according to the template.

    5. Select Create secret.

  3. Share the secret with the application account:

    1. Go to the Sharing tab of the secret's page.

    2. Select Edit in the upper-right corner.

    3. Clear Inherit permissions.

    4. Search for the application account by using the search box at the top.

    5. Select the check box to the left of the application account name and then select View in the dropdown list under Secret Permissions.

    6. Select Save.

    Step 3: Generating a Secret Server Access Token

    Secret Server uses the OAuth 2.0 client credentials grant type to allow backend services to authenticate using their own credentials to access the Secret Server APIs. This method supports secure server-to-server communication without user interaction and is commonly used by background services or service accounts.

    To generate and retrieve an access token to authenticate with Secret Server, make a call to the oauth2/token endpoint in the Secret Server REST API. For more information about this endpoint, see the Secret Server Authentication Rest API documentation.

(Optional) Step 4: Configuring Auto Comment in Secret Server

  1. Log in to Secret Server with admin credentials.

  2. Open the secret for which you want to require entry of a comment.

  3. Go to Security.

  4. In the Other security section, select the pencil icon next to the Require comment option.

  5. Select the Require comment checkbox and select Save.