google.cloud.gcp_secret_manager module – Access and Update Google Cloud Secrets Manager objects

Note

This module is part of the google.cloud collection (version 1.4.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install google.cloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: google.cloud.gcp_secret_manager.

Note

The google.cloud collection will be removed from Ansible 12 due to violations of the Ansible inclusion requirements. The collection has unresolved sanity test failures. See the discussion thread for more information.

Synopsis

  • Access secrets stored in Google Secrets Manager.

  • Create new secrets.

  • Create new secret values.

  • Add/remove versions of secrets.

  • Please note that other features like etags, replication, annontation expected to be managed outside of Ansible.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.6

  • requests >= 2.18.4

  • google-auth >= 1.3.0

Parameters

Parameter

Comments

auth_kind

string / required

The type of credential used.

Choices:

  • "application"

  • "machineaccount"

  • "serviceaccount"

labels

dictionary

A set of key-value pairs to assign as labels to asecret

only used in creation

Note that the “value” piece of a label must contain only readable chars

name

aliases: key, secret, secret_id

string / required

Name of the secret to be used

project

string

The Google Cloud Platform project to use.

return_value

boolean

if true, the value of the secret will be returned unencrypted to Ansible

if false, no value will be returned or decrypted

Choices:

  • false

  • true ← (default)

scopes

list / elements=string

Array of scopes to be used

service_account_contents

jsonarg

The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it.

service_account_email

string

An optional service account email address if machineaccount is selected and the user does not wish to use the default email.

service_account_file

path

The path of a Service Account JSON file if serviceaccount is selected as type.

state

string

whether the secret should exist

Choices:

  • "absent"

  • "present" ← (default)

value

string

The secret value that the secret should have

this will be set upon create

If the secret value is not this, a new version will be added with this value

version

string

A version label to apply to the secret

Default is “latest” which is the newest version of the secret

The special “all” is also acceptable on delete (which will delete all versions of a secret)

Default: "latest"

Notes

Note

  • API Reference: https://cloud.google.com/secret-manager/docs/reference/rests

  • Official Documentation: https://cloud.google.com/secret-manager/docs/overview

  • for authentication, you can set service_account_file using the GCP_SERVICE_ACCOUNT_FILE env variable.

  • for authentication, you can set service_account_contents using the GCP_SERVICE_ACCOUNT_CONTENTS env variable.

  • For authentication, you can set service_account_email using the GCP_SERVICE_ACCOUNT_EMAIL env variable.

  • For authentication, you can set auth_kind using the GCP_AUTH_KIND env variable.

  • For authentication, you can set scopes using the GCP_SCOPES env variable.

  • Environment variables values will only be used if the playbook values are not set.

  • The service_account_email and service_account_file options are mutually exclusive.

Examples

- name: Create a new secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: super_secret
    state: present
    auth_kind: serviceaccount
    service_account_file: service_account_creds.json

- name: Ensure the secretexists, fail otherwise and return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    state: present

- name: Ensure secret exists but don't return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    state: present
    return_value: false

- name: Add a new version of a secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: updated super secret
    state: present

- name: Delete version 1 of a secret (but not the secret itself)
  google.cloud.gcp_secret_manager:
    name: secret_key
    version: 1
    state: absent

- name: Delete all versions of a secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    version: all
    state: absent

- name: Create a secret with labels
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: super_secret
    labels:
      key_name: "ansible_rox"

Authors

  • Dave Costakos @RedHat