google.cloud.gcp_secret_manager module – Access and Update Google Cloud Secrets Manager objects

Note

This module is part of the google.cloud collection (version 1.9.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install google.cloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: google.cloud.gcp_secret_manager.

Synopsis 

Access secrets stored in Google Secrets Manager.
Create new secrets.
Create new secret values.
Add/remove versions of secrets.
Please note that other features like etags, replication, annontation expected to be managed outside of Ansible.
Deals with regional secrets if location option is defined.

Requirements 

The below requirements are needed on the host that executes this module.

python >= 2.6
requests >= 2.18.4
google-auth >= 1.3.0

Parameters 

Parameter	Comments
access_token string	An OAuth2 access token if credential type is accesstoken.
auth_kind string / required	The type of credential used. Choices: `"application"` `"machineaccount"` `"serviceaccount"` `"accesstoken"`
env_type string	Specifies which Ansible environment you’re running this module within. This should not be set unless you know what you’re doing. This only alters the User Agent string for any API requests.
labels dictionary	A set of key-value pairs to assign as labels to asecret only used in creation Note that the “value” piece of a label must contain only readable chars Default: `{}`
location string	If provided, it defines the location of the regional secret.
name aliases: key, secret, secret_id string / required	Name of the secret to be used
project string	The Google Cloud Platform project to use.
return_value boolean	if true, the value of the secret will be returned unencrypted to Ansible if false, no value will be returned or decrypted Choices: `false` `true` ← (default)
scopes list / elements=string	Array of scopes to be used
service_account_contents jsonarg	The contents of a Service Account JSON file, either in a dictionary or as a JSON string that represents it.
service_account_email string	An optional service account email address if machineaccount is selected and the user does not wish to use the default email.
service_account_file path	The path of a Service Account JSON file if serviceaccount is selected as type.
state string	whether the secret should exist Choices: `"absent"` `"present"` ← (default)
value string	The secret value that the secret should have this will be set upon create If the secret value is not this, a new version will be added with this value
version string	A version label to apply to the secret Default is “latest” which is the newest version of the secret The special “all” is also acceptable on delete (which will delete all versions of a secret) Default: `"latest"`

Notes 

Note

API Reference: https://cloud.google.com/secret-manager/docs/reference/rests
Official Documentation: https://cloud.google.com/secret-manager/docs/overview
for authentication, you can set service_account_file using the GCP_SERVICE_ACCOUNT_FILE env variable.
for authentication, you can set service_account_contents using the GCP_SERVICE_ACCOUNT_CONTENTS env variable.
For authentication, you can set service_account_email using the GCP_SERVICE_ACCOUNT_EMAIL env variable.
For authentication, you can set auth_kind using the GCP_AUTH_KIND env variable.
For authentication, you can set scopes using the GCP_SCOPES env variable.
Environment variables values will only be used if the playbook values are not set.
The service_account_email and service_account_file options are mutually exclusive.

Examples 

- name: Create a new secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: super_secret
    state: present
    auth_kind: serviceaccount
    service_account_file: service_account_creds.json

- name: Ensure the secretexists, fail otherwise and return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    state: present

- name: Ensure secret exists but don't return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    state: present
    return_value: false

- name: Add a new version of a secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: updated super secret
    state: present

- name: Delete version 1 of a secret (but not the secret itself)
  google.cloud.gcp_secret_manager:
    name: secret_key
    version: 1
    state: absent

- name: Delete all versions of a secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    version: all
    state: absent

- name: Create a secret with labels
  google.cloud.gcp_secret_manager:
    name: secret_key
    value: super_secret
    labels:
      key_name: "ansible_rox"

- name: Create a new regional secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    location: us-central1
    value: super_secret
    state: present
    auth_kind: serviceaccount
    service_account_file: service_account_creds.json

- name: Ensure the regional secret exists, fail otherwise and return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    location: us-central1
    state: present

- name: Ensure regional secret exists but don't return the value
  google.cloud.gcp_secret_manager:
    name: secret_key
    location: us-central1
    state: present
    return_value: false

- name: Add a new version of a regional secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    location: us-central1
    value: updated super secret
    state: present

- name: Delete version 1 of a regional secret (but not the secret itself)
  google.cloud.gcp_secret_manager:
    name: secret_key
    location: us-central1
    version: 1
    state: absent

- name: Delete all versions of a regional secret
  google.cloud.gcp_secret_manager:
    name: secret_key
    location: us-central1
    version: all
    state: absent

- name: Create a regional secret with labels
  google.cloud.gcp_secret_manager:
    name: secret_key
    location: us-central1
    value: super_secret
    labels:
      key_name: "ansible_rox"

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
resources complex	List of resources Returned: always
location string	The location of the regional secret. Returned: success
msg string	A message indicating what was done (or not done) Returned: success, failure
name string	The name of the secret Returned: success
payload dictionary	The base 64 secret payload including CRC for validation Returned: success
status_code string	The HTTP status code of the response to Google Cloud Returned: success
url string	The Google Cloud URL used to make the request Returned: success
value string	The decrypted secret value, please use care with this Returned: success
version string	The version number of the secret returned Returned: success

Authors

Google Inc. (@googlecloudplatform)

google.cloud.gcp_secret_manager module – Access and Update Google Cloud Secrets Manager objects

Synopsis

Requirements

Parameters

Notes

Examples

Return Values