docker_secret – Manage docker secrets

New in version 2.4.

Synopsis

  • Create and remove Docker secrets in a Swarm environment. Similar to docker secret create and docker secret rm.
  • Adds to the metadata of new secrets ‘ansible_key’, an encrypted hash representation of the data, which is then used in future runs to test if a secret has changed. If ‘ansible_key is not present, then a secret will not be updated unless the force option is set.
  • Updates to secrets are performed by removing the secret and creating it again.

Requirements

The below requirements are needed on the host that executes this module.

  • Docker API >= 1.25
  • Docker SDK for Python: Please note that the docker-py Python module has been superseded by docker (see here for details). This module does not work with docker-py.
  • Docker SDK for Python >= 2.1.0
  • Python >= 2.7

Parameters

Parameter Choices/Defaults Comments
api_version
string
Default:
"auto"
The version of the Docker API running on the Docker Host.
Defaults to the latest version of the API supported by Docker SDK for Python and the docker daemon.
If the value is not specified in the task, the value of environment variable DOCKER_API_VERSION will be used instead. If the environment variable is not set, the default value will be used.

aliases: docker_api_version
ca_cert
path
Use a CA certificate when performing server verification by providing the path to a CA certificate file.
If the value is not specified in the task and the environment variable DOCKER_CERT_PATH is set, the file ca.pem from the directory specified in the environment variable DOCKER_CERT_PATH will be used.

aliases: tls_ca_cert, cacert_path
client_cert
path
Path to the client's TLS certificate file.
If the value is not specified in the task and the environment variable DOCKER_CERT_PATH is set, the file cert.pem from the directory specified in the environment variable DOCKER_CERT_PATH will be used.

aliases: tls_client_cert, cert_path
client_key
path
Path to the client's TLS key file.
If the value is not specified in the task and the environment variable DOCKER_CERT_PATH is set, the file key.pem from the directory specified in the environment variable DOCKER_CERT_PATH will be used.

aliases: tls_client_key, key_path
data
string
The value of the secret. Required when state is present.
data_is_b64
boolean
added in 2.8
    Choices:
  • no ←
  • yes
If set to true, the data is assumed to be Base64 encoded and will be decoded before being used.
To use binary data, it is better to keep it Base64 encoded and let it be decoded by this option.
debug
boolean
    Choices:
  • no ←
  • yes
Debug mode
docker_host
string
Default:
"unix://var/run/docker.sock"
The URL or Unix socket path used to connect to the Docker API. To connect to a remote host, provide the TCP connection string. For example, tcp://192.0.2.23:2376. If TLS is used to encrypt the connection, the module will automatically replace tcp in the connection URL with https.
If the value is not specified in the task, the value of environment variable DOCKER_HOST will be used instead. If the environment variable is not set, the default value will be used.

aliases: docker_url
force
boolean
    Choices:
  • no ←
  • yes
Use with state present to always remove and recreate an existing secret.
If true, an existing secret will be replaced, even if it has not changed.
labels
dictionary
A map of key:value meta data, where both key and value are expected to be strings.
If new meta data is provided, or existing meta data is modified, the secret will be updated by removing it and creating it again.
name
string / required
The name of the secret.
ssl_version
string
Provide a valid SSL version number. Default value determined by ssl.py module.
If the value is not specified in the task, the value of environment variable DOCKER_SSL_VERSION will be used instead.
state
string
    Choices:
  • absent
  • present ←
Set to present, if the secret should exist, and absent, if it should not.
timeout
integer
Default:
60
The maximum amount of time in seconds to wait on a response from the API.
If the value is not specified in the task, the value of environment variable DOCKER_TIMEOUT will be used instead. If the environment variable is not set, the default value will be used.
tls
boolean
    Choices:
  • no ←
  • yes
Secure the connection to the API by using TLS without verifying the authenticity of the Docker host server. Note that if validate_certs is set to yes as well, it will take precedence.
If the value is not specified in the task, the value of environment variable DOCKER_TLS will be used instead. If the environment variable is not set, the default value will be used.
tls_hostname
string
Default:
"localhost"
When verifying the authenticity of the Docker Host server, provide the expected name of the server.
If the value is not specified in the task, the value of environment variable DOCKER_TLS_HOSTNAME will be used instead. If the environment variable is not set, the default value will be used.
validate_certs
boolean
    Choices:
  • no ←
  • yes
Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server.
If the value is not specified in the task, the value of environment variable DOCKER_TLS_VERIFY will be used instead. If the environment variable is not set, the default value will be used.

aliases: tls_verify

Notes

Note

  • Connect to the Docker daemon by providing parameters with each task or by defining environment variables. You can define DOCKER_HOST, DOCKER_TLS_HOSTNAME, DOCKER_API_VERSION, DOCKER_CERT_PATH, DOCKER_SSL_VERSION, DOCKER_TLS, DOCKER_TLS_VERIFY and DOCKER_TIMEOUT. If you are using docker machine, run the script shipped with the product that sets up the environment. It will set these variables for you. See https://docs.docker.com/machine/reference/env/ for more details.
  • When connecting to Docker daemon with TLS, you might need to install additional Python packages. For the Docker SDK for Python, version 2.4 or newer, this can be done by installing docker[tls] with pip.
  • Note that the Docker SDK for Python only allows to specify the path to the Docker configuration for very few functions. In general, it will use $HOME/.docker/config.json if the DOCKER_CONFIG environment variable is not specified, and use $DOCKER_CONFIG/config.json otherwise.

Examples

- name: Create secret foo (from a file on the control machine)
  docker_secret:
    name: foo
    # If the file is JSON or binary, Ansible might modify it (because
    # it is first decoded and later re-encoded). Base64-encoding the
    # file directly after reading it prevents this to happen.
    data: "{{ lookup('file', '/path/to/secret/file') | b64encode }}"
    data_is_b64: true
    state: present

- name: Change the secret data
  docker_secret:
    name: foo
    data: Goodnight everyone!
    labels:
      bar: baz
      one: '1'
    state: present

- name: Add a new label
  docker_secret:
    name: foo
    data: Goodnight everyone!
    labels:
      bar: baz
      one: '1'
      # Adding a new label will cause a remove/create of the secret
      two: '2'
    state: present

- name: No change
  docker_secret:
    name: foo
    data: Goodnight everyone!
    labels:
      bar: baz
      one: '1'
      # Even though 'two' is missing, there is no change to the existing secret
    state: present

- name: Update an existing label
  docker_secret:
    name: foo
    data: Goodnight everyone!
    labels:
      bar: monkey   # Changing a label will cause a remove/create of the secret
      one: '1'
    state: present

- name: Force the removal/creation of the secret
  docker_secret:
    name: foo
    data: Goodnight everyone!
    force: yes
    state: present

- name: Remove secret foo
  docker_secret:
    name: foo
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
secret_id
string
success and state is present
The ID assigned by Docker to the secret object.

Sample:
hzehrmyjigmcp2gb6nlhmjqcv


Status

Authors

  • Chris Houseknecht (@chouseknecht)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.