From 06b6c7940db1a89b3b2f99a172415901ac9f36c6 Mon Sep 17 00:00:00 2001 From: Beau West Date: Thu, 26 Feb 2026 13:20:32 -0600 Subject: [PATCH 1/5] Fix variable expansion when setting the endpoint URL Nested expansion does not work, so the URL was being generated without the dynamic values expanded into it. --- roles/install_agent/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/install_agent/tasks/main.yml b/roles/install_agent/tasks/main.yml index a3863e5..5ff7841 100644 --- a/roles/install_agent/tasks/main.yml +++ b/roles/install_agent/tasks/main.yml @@ -94,7 +94,7 @@ - name: "Set endpoint URI to get the correct registration token" ansible.builtin.set_fact: - reg_token_uri: "{{ \"groups/{{ groupid }}/token\" if group is defined else \"sites/{{ siteid }}/token\" }}" + reg_token_uri: "{{ 'groups/' ~ groupid ~ '/token' if group is defined else 'sites/' ~ siteid ~ '/token' }}" - name: "Get registration token" ansible.builtin.uri: From def368ed56c852f28e38ca014e8797362d9e4ced Mon Sep 17 00:00:00 2001 From: Beau West Date: Thu, 26 Feb 2026 14:20:19 -0600 Subject: [PATCH 2/5] Be more specific about the API Role permissions required --- roles/install_agent/README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/install_agent/README.md b/roles/install_agent/README.md index cfbe7a4..61b1cd4 100644 --- a/roles/install_agent/README.md +++ b/roles/install_agent/README.md @@ -33,11 +33,12 @@ Requirements An API key is required to use this role. It is considered best practice to create a specific 'API user' role for this purpose. The API user requires the following permissions: -- Read site info -- Read group info (if the scope is set to group) -- Download agent packages -- Read the site or group registration token -- Read agent information +- Endpoints -> View +- Accounts -> View +- Agent Packages -> View +- Groups -> View (If the scope is set to "group") +- Roles -> View +- Sites -> View ### GPG Key (Linux only) You need to provide the gpg key to validate the package signatures correctly. You obtain the download link from the Sentinelone Help page: "**How to Install on a Linux Endpoint with Yum**". From e73369361b35342c43e9a9efa688c3027adbd588 Mon Sep 17 00:00:00 2001 From: Beau West Date: Thu, 26 Feb 2026 14:22:07 -0600 Subject: [PATCH 3/5] Modernize the GPG file handling This is due to apt_key being deprecated. --- roles/install_agent/tasks/Linux.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/roles/install_agent/tasks/Linux.yml b/roles/install_agent/tasks/Linux.yml index 99ad08b..32d5519 100644 --- a/roles/install_agent/tasks/Linux.yml +++ b/roles/install_agent/tasks/Linux.yml @@ -27,7 +27,6 @@ - name: "Block: RPM based systems" when: pkg_format == "rpm" block: - - name: "Linux: Copy gpg key to remote server" ansible.builtin.copy: src: "{{ gpg_key }}" @@ -53,22 +52,21 @@ - name: "Block: DEB based systems" when: pkg_format == "deb" + become: true block: - name: "Install gpg" ansible.builtin.apt: name: gpg update_cache: true - - name: "Linux: Copy gpg key to remote server" + - name: "Linux: Install GPG key to trusted.gpg.d" ansible.builtin.copy: src: "{{ gpg_key }}" - dest: "{{ remote_gpg_key_path }}" + dest: /etc/apt/trusted.gpg.d/sentinelone.gpg + owner: root + group: root mode: "0644" - - name: "Linux: Import GPG key for apt" - ansible.builtin.apt_key: - file: "{{ remote_gpg_key_path }}" - - name: "Linux: Install deb agent package {{ remote_pkg_path }}" ansible.builtin.apt: deb: "{{ remote_pkg_path }}" From 7c3f31fb70dfb2b797c7bf7ab591f3bcef2ce3a0 Mon Sep 17 00:00:00 2001 From: Beau West Date: Thu, 26 Feb 2026 14:22:38 -0600 Subject: [PATCH 4/5] Explicitly apply "become: false" for localhost tasks --- roles/install_agent/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/install_agent/tasks/main.yml b/roles/install_agent/tasks/main.yml index 5ff7841..18e79a4 100644 --- a/roles/install_agent/tasks/main.yml +++ b/roles/install_agent/tasks/main.yml @@ -31,6 +31,7 @@ or sentinelagent_service.exists | default(false) else false }}" - name: "Download agent to localhost. Version: {{ agent_version }}" + become: false sva.sentinelone.sentinelone_download_agent: console_url: "{{ console_url }}" token: "{{ api_token }}" @@ -47,6 +48,7 @@ - name: "Block: Get registration token from API" run_once: true + become: false block: - name: "Get siteid" ansible.builtin.uri: @@ -117,6 +119,7 @@ ansible.builtin.include_tasks: "{{ custom_os_family }}.yml" - name: "Remove agent install package from localhost" + become: false ansible.builtin.file: path: "{{ return_download_agent.original_message.full_path }}" state: absent @@ -124,6 +127,7 @@ when: not agent_installed - name: "Fail if new client does not appear in management console" + become: false ansible.builtin.uri: url: "{{ api_url }}agents?siteIds={{ siteid }}&computerName={{ ansible_hostname | urlencode }}&isActive=true" method: GET From 04f0074a2145bb6d09d1f7f296b6cfd79e28766f Mon Sep 17 00:00:00 2001 From: Beau West Date: Thu, 26 Feb 2026 14:23:05 -0600 Subject: [PATCH 5/5] Prevent errors when waiting for the agent to appear --- roles/install_agent/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/install_agent/tasks/main.yml b/roles/install_agent/tasks/main.yml index 18e79a4..ff4228e 100644 --- a/roles/install_agent/tasks/main.yml +++ b/roles/install_agent/tasks/main.yml @@ -140,6 +140,6 @@ register: registrationstatus delegate_to: localhost no_log: "{{ hide_sensitive }}" - until: ((registrationstatus.json.data | length) > 0) and (registrationstatus.status == 200) + until: (registrationstatus.json.data | default([]) | length > 0) and (registrationstatus.status | default(0) == 200) retries: "{{ check_console_retries }}" delay: "{{ check_console_retry_delay }}"