Ansible Collection for Pleasant password retrieval

Recently I came across Pleasant Password Server in use as a PAM (Privileged Access Management) solution. https://pleasantpasswords.com/info/pleasant-password-server.
I needed to integrate it with the Ansible playbooks I was using to deploy and configure IBM Verify Security Access Manager. Unfortunately, there was no Ansible plugin available for use as there are for CyberArk or Thycotic or …, so I created one myself.

I have added the resulting Ansible Collection to Ansible Galaxy: https://galaxy.ansible.com/tombosmansibm/pleasant_lookup.

This is my Github repository with the sources : https://github.com/tombosmansibm/pleasant_lookup

The collection consists of

1. a lookup plugin tombosmansibm.pleasant_lookup.password to do password lookups
2. a role pleasant_attachment that can be used to retrieve certificates stored in Pleasant.

The options in the lookup plugin obviously rely on the capabilities of Pleasant Password Server’s API.

Installation

Python dependencies

• requests

ansible-galaxy collection install tombosmansibm.pleasant_lookup

Configuration parameters

In ansible.cfg, you can add these global settings:

[pleasant_lookup]
ca_path = /etc/ssl/certs/ca-bundle.crt
timeout = 15

Parameters

Required

• pleasant_host: the pleasant host (https://pleasant.com:10001)
• username: username to authenticate to Pleasant
• password: password to authenticate to Pleasant
• pleasant_search: the search term to look for

Optional

• pleasant_filter_username: only return search results for this exact username
• pleasant_filter_path: only return results that begin with this path. Should always begin with ‘/Root’
• verify: set to False to disable SSL verification
• timeout: the timeout to wait for Pleasant Server’s API . Defaults to 5

Examples

Simple lookup for a root password

- name: password
  debug: 
    msg: |
      "{{ lookup('tombosmansibm.pleasant_lookup.password', 
      pleasant_host='https://pleasant.com:10001', 
      username='bob', 
      password='hunter2', 
      pleasant_search='root') }}"

Lookup example with search parameter and filter on username and path with reference to the ca bundle of the system.

- name: Lookup
  run_once: True
  debug:
    msg: |
        "{{ lookup('tombosmansibm.pleasant_lookup.password', 
            pleasant_host='https://pleasant.com:10001', 
            username='myuser', 
            password='mypassword',
            pleasant_filter_path='Root/DEV/',
            pleasant_filter_username='root',
            pleasant_search='root',
            verify='/etc/ssl/certs/ca-bundle.crt',
            timeout=2) }}"
  delegate_to: localhost

The result is a list of items:

[{
     "password": "the password",
     "path": "Root/Path/",
     "username": "the username"
}] 

Get a certificate with the name cn=mycertificatelabel from Pleasant Server and download to /tmp.

- hosts: servers
  vars:
    pleasant_host: https://pleasant.com:10001
    pleasant_search_term: "cn=mycertificatelabel"
    pleasant_attachment_filter: ".*.p12"
    pleasant_export_dir: /tmp
  roles:
     - role: duo.pleasant_attachment