Delinea Secret Server Python SDK

2.0.1 · active · verified Thu Apr 16

The Delinea Secret Server Python SDK (version 2.0.1) provides Python classes to interact with Delinea Secret Server and Delinea Platform via their REST APIs. It supports various authentication methods and facilitates programmatic access to secrets. The library is actively maintained with regular releases and requires Python 3.8 or higher.

Common errors

```
ImportError: No module named 'thycotic'
```
cause Attempting to import classes using the old `thycotic` namespace after upgrading the SDK to version 1.2.0 or higher.

fix Change import statements from `from thycotic.secrets.server import ...` to `from delinea.secrets.server import ...`.
```
Secret Server Error: Access Denied
```
cause The authenticated user or application account lacks the necessary permissions to access the requested secret or perform the action.

fix Verify the permissions assigned to the user or application account in Delinea Secret Server. Ensure the account has 'Read' permissions on the specific secret or folder.
```
requests.exceptions.SSLError: HTTPSConnectionPool(...) Max retries exceeded with url: /oauth2/token (Caused by SSLError(CertificateError("hostname 'yourserver.com' doesn't match ...")))
```
cause The Python `requests` library cannot verify the SSL certificate presented by the Secret Server instance, often due to self-signed or untrusted certificates.

fix Either install a trusted certificate on the Secret Server or configure the client environment to trust the certificate (e.g., by setting `REQUESTS_CA_BUNDLE` to a .pem file containing the certificate chain).
```
Secret Server Error: The remote server returned an error: (400) Bad Request
```
cause Often caused by incorrect authentication credentials (username, password, or tenant/base URL), or webservices not being enabled on the Secret Server instance.

fix Double-check your `TSS_USERNAME`, `TSS_PASSWORD`, `TSS_TENANT` (or `base_url`) environment variables. Confirm that 'Enable Webservices' is set to 'Yes' in your Secret Server configuration.

Warnings

breaking The package's top-level import namespace changed from `thycotic` to `delinea` in version 1.2.0 due to the company's rebranding to Delinea. Code using `from thycotic.secrets.server import ...` will break.
Fix: Update all import statements from `thycotic.secrets.server` to `delinea.secrets.server`.
gotcha When using application accounts for authentication, ensure they are assigned only the minimum required roles and permissions, not the 'Administrator Role' or all role permissions, to maintain security best practices.
Fix: Review and limit application account permissions within Delinea Secret Server to the principle of least privilege.
gotcha Self-signed SSL certificates or untrusted certificates can cause 'SSL Connectivity or Certificate Issues?'. The Python `requests` library (used by the SDK) may fail to verify the certificate.
Fix: Ensure a trusted SSL certificate is used. If using self-signed certificates in development, consider configuring the `REQUESTS_CA_BUNDLE` environment variable or explicitly disabling SSL verification (not recommended for production).
gotcha Connectivity issues or 'Login Failed' errors can occur if webservices are not enabled on your Secret Server instance, or if an incorrect base URL (e.g., including `/Login.aspx`) is used.
Fix: Verify that 'Enable Webservices' is set to 'Yes' in Secret Server's Administration > Configuration. Ensure the `base_url` provided to the authorizer is the root URL of your Secret Server instance (e.g., `https://yourserver/SecretServer`, not `https://yourserver/SecretServer/Login.aspx`).

Install

pip install python-tss-sdk Install latest version

Imports

SecretServer
wrong:
```
from thycotic.secrets.server import SecretServer
```
correct:
```
from delinea.secrets.server import SecretServer
```
The top-level namespace changed from 'thycotic' to 'delinea' in version 1.2.0 due to rebranding.

SecretServerCloud

from delinea.secrets.server import SecretServerCloud

PasswordGrantAuthorizer

from delinea.secrets.server import PasswordGrantAuthorizer

SecretServerError

from delinea.secrets.server import SecretServerError

Quickstart

This quickstart demonstrates how to authenticate with Delinea Secret Server Cloud using a username and password and then retrieve a secret by its ID. It relies on environment variables for sensitive credentials.

import os
from delinea.secrets.server import (
    SecretServerCloud,
    PasswordGrantAuthorizer,
    SecretServerError
)

# Ensure these environment variables are set:
# TSS_TENANT (e.g., 'mytenant')
# TSS_USERNAME
# TSS_PASSWORD

try:
    tenant = os.environ.get('TSS_TENANT', '')
    username = os.environ.get('TSS_USERNAME', '')
    password = os.environ.get('TSS_PASSWORD', '')

    if not all([tenant, username, password]):
        raise ValueError("TSS_TENANT, TSS_USERNAME, and TSS_PASSWORD environment variables must be set.")

    # For Secret Server Cloud, 'tenant' parameter simplifies URL construction
    authorizer = PasswordGrantAuthorizer(
        base_url=f"https://{tenant}.secretservercloud.com",
        username=username,
        password=password
    )

    secret_server_cloud = SecretServerCloud(tenant=tenant, authorizer=authorizer)

    # Example: Fetch a secret by ID
    secret_id = 123 # Replace with a valid secret ID from your Secret Server
    secret = secret_server_cloud.get_secret(secret_id)
    print(f"Successfully fetched secret with ID {secret_id}:")
    print(f"Secret Name: {secret.name}")
    # Access secret fields, e.g., secret.data['username'] or secret.data['password']

except SecretServerError as e:
    print(f"Secret Server Error: {e.message}")
    print("Please check your credentials, tenant URL, and permissions.")
except ValueError as e:
    print(f"Configuration Error: {e}")
except Exception as e:
    print(f"An unexpected error occurred: {e}")

view raw JSON →