google.cloud.gcp_secret_manager module – Access and Update Google Cloud Secrets Manager objects

Note

This module is part of the google.cloud collection (version 1.4.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install google.cloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: google.cloud.gcp_secret_manager.

Note

The google.cloud collection will be removed from Ansible 12 due to violations of the Ansible inclusion requirements. The collection has unresolved sanity test failures. See the discussion thread for more information.

Synopsis

• Access secrets stored in Google Secrets Manager.

• Create new secrets.

• Create new secret values.

• Add/remove versions of secrets.

• Please note that other features like etags, replication, annontation expected to be managed outside of Ansible.

Requirements

The below requirements are needed on the host that executes this module.

• python >= 2.6

• requests >= 2.18.4

• google-auth >= 1.3.0

Parameters

Parameter	Comments
auth_kind string / required	The type of credential used. Choices: "application" "machineaccount" "serviceaccount"
labels dictionary	A set of key-value pairs to assign as labels to asecret only used in creation Note that the “value” piece of a label must contain only readable chars
name aliases: key, secret, secret_id string / required	Name of the secret to be used
project string	The Google Cloud Platform project to use.
return_value boolean	if true, the value of the secret will be returned unencrypted to Ansible if false, no value will be returned or decrypted Choices: false true ← (default)
scopes list / elements=string	Array of scopes to be used
service_account_contents jsonarg	The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it.
service_account_email string	An optional service account email address if machineaccount is selected and the user does not wish to use the default email.
service_account_file path	The path of a Service Account JSON file if serviceaccount is selected as type.
state string	whether the secret should exist Choices: "absent" "present" ← (default)
value string	The secret value that the secret should have this will be set upon create If the secret value is not this, a new version will be added with this value
version string	A version label to apply to the secret Default is “latest” which is the newest version of the secret The special “all” is also acceptable on delete (which will delete all versions of a secret) Default: "latest"

Notes

Note

• API Reference: https://cloud.google.com/secret-manager/docs/reference/rests

• Official Documentation: https://cloud.google.com/secret-manager/docs/overview

• for authentication, you can set service_account_file using the GCP_SERVICE_ACCOUNT_FILE env variable.

• for authentication, you can set service_account_contents using the GCP_SERVICE_ACCOUNT_CONTENTS env variable.

• For authentication, you can set service_account_email using the GCP_SERVICE_ACCOUNT_EMAIL env variable.

• For authentication, you can set auth_kind using the GCP_AUTH_KIND env variable.

• For authentication, you can set scopes using the GCP_SCOPES env variable.

• Environment variables values will only be used if the playbook values are not set.

• The service_account_email and service_account_file options are mutually exclusive.

Examples

- name: Create a new secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: super_secret
    state: present
    auth_kind: serviceaccount
    service_account_file: service_account_creds.json

- name: Ensure the secretexists, fail otherwise and return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    state: present

- name: Ensure secret exists but don't return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    state: present
    return_value: false

- name: Add a new version of a secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: updated super secret
    state: present

- name: Delete version 1 of a secret (but not the secret itself)
  google.cloud.gcp_secret_manager:
    name: secret_key
    version: 1
    state: absent

- name: Delete all versions of a secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    version: all
    state: absent

- name: Create a secret with labels
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: super_secret
    labels:
      key_name: "ansible_rox"

Authors

• Dave Costakos @RedHat

Collection links

• Issue Tracker
• Homepage
• Repository (Sources)

There were some errors parsing the documentation for this plugin. Please file a bug with the google.cloud collection.

The errors were:

• Unable to normalize gcp_secret_manager: return due to: 7 validation errors for PluginReturnSchema
  return -> resources -> msg
    Extra inputs are not permitted (type=extra_forbidden)
  return -> resources -> name
    Extra inputs are not permitted (type=extra_forbidden)
  return -> resources -> payload
    Extra inputs are not permitted (type=extra_forbidden)
  return -> resources -> status_code
    Extra inputs are not permitted (type=extra_forbidden)
  return -> resources -> url
    Extra inputs are not permitted (type=extra_forbidden)
  return -> resources -> value
    Extra inputs are not permitted (type=extra_forbidden)
  return -> resources -> version
    Extra inputs are not permitted (type=extra_forbidden)