google.cloud.gcp_secret_manager module – Access and Update Google Cloud Secrets Manager objects
Note
This module is part of the google.cloud collection (version 1.4.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install google.cloud
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: google.cloud.gcp_secret_manager
.
Note
The google.cloud collection will be removed from Ansible 12 due to violations of the Ansible inclusion requirements. The collection has unresolved sanity test failures. See the discussion thread for more information.
Synopsis
Access secrets stored in Google Secrets Manager.
Create new secrets.
Create new secret values.
Add/remove versions of secrets.
Please note that other features like etags, replication, annontation expected to be managed outside of Ansible.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.6
requests >= 2.18.4
google-auth >= 1.3.0
Parameters
Parameter |
Comments |
---|---|
The type of credential used. Choices:
|
|
A set of key-value pairs to assign as labels to asecret only used in creation Note that the “value” piece of a label must contain only readable chars |
|
Name of the secret to be used |
|
The Google Cloud Platform project to use. |
|
if true, the value of the secret will be returned unencrypted to Ansible if false, no value will be returned or decrypted Choices:
|
|
Array of scopes to be used |
|
The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it. |
|
An optional service account email address if machineaccount is selected and the user does not wish to use the default email. |
|
The path of a Service Account JSON file if serviceaccount is selected as type. |
|
whether the secret should exist Choices:
|
|
The secret value that the secret should have this will be set upon create If the secret value is not this, a new version will be added with this value |
|
A version label to apply to the secret Default is “latest” which is the newest version of the secret The special “all” is also acceptable on delete (which will delete all versions of a secret) Default: |
Notes
Note
API Reference: https://cloud.google.com/secret-manager/docs/reference/rests
Official Documentation: https://cloud.google.com/secret-manager/docs/overview
for authentication, you can set service_account_file using the
GCP_SERVICE_ACCOUNT_FILE
env variable.for authentication, you can set service_account_contents using the
GCP_SERVICE_ACCOUNT_CONTENTS
env variable.For authentication, you can set service_account_email using the
GCP_SERVICE_ACCOUNT_EMAIL
env variable.For authentication, you can set auth_kind using the
GCP_AUTH_KIND
env variable.For authentication, you can set scopes using the
GCP_SCOPES
env variable.Environment variables values will only be used if the playbook values are not set.
The service_account_email and service_account_file options are mutually exclusive.
Examples
- name: Create a new secret
google.cloud.gcp_secret_manager:
name: secret_key
value: super_secret
state: present
auth_kind: serviceaccount
service_account_file: service_account_creds.json
- name: Ensure the secretexists, fail otherwise and return the value
google.cloud.gcp_secret_manager:
name: secret_key
state: present
- name: Ensure secret exists but don't return the value
google.cloud.gcp_secret_manager:
name: secret_key
state: present
return_value: false
- name: Add a new version of a secret
google.cloud.gcp_secret_manager:
name: secret_key
value: updated super secret
state: present
- name: Delete version 1 of a secret (but not the secret itself)
google.cloud.gcp_secret_manager:
name: secret_key
version: 1
state: absent
- name: Delete all versions of a secret
google.cloud.gcp_secret_manager:
name: secret_key
version: all
state: absent
- name: Create a secret with labels
google.cloud.gcp_secret_manager:
name: secret_key
value: super_secret
labels:
key_name: "ansible_rox"
Collection links
There were some errors parsing the documentation for this plugin. Please file a bug with the google.cloud collection.
The errors were:
Unable to normalize gcp_secret_manager: return due to: 7 validation errors for PluginReturnSchema return -> resources -> msg Extra inputs are not permitted (type=extra_forbidden) return -> resources -> name Extra inputs are not permitted (type=extra_forbidden) return -> resources -> payload Extra inputs are not permitted (type=extra_forbidden) return -> resources -> status_code Extra inputs are not permitted (type=extra_forbidden) return -> resources -> url Extra inputs are not permitted (type=extra_forbidden) return -> resources -> value Extra inputs are not permitted (type=extra_forbidden) return -> resources -> version Extra inputs are not permitted (type=extra_forbidden)