You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

amazon.aws.aws_secret – Look up secrets stored in AWS Secrets Manager.

Note

This plugin is part of the amazon.aws collection (version 1.5.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install amazon.aws.

To use it in a playbook, specify: amazon.aws.aws_secret.

Synopsis

• Look up secrets stored in AWS Secrets Manager provided the caller has the appropriate permissions to read the secret.

• Lookup is based on the secret’s Name value.

• Optional parameters can be passed into this lookup; version_id and version_stage

Requirements

The below requirements are needed on the local controller node that executes this lookup.

• boto3

• botocore>=1.10.0

Parameters

Parameter	Comments
_terms string / required	Name of the secret to look up in AWS Secrets Manager.
aws_access_key aliases: aws_access_key_id string	The AWS access key to use. Configuration: Environment variable: EC2_ACCESS_KEY Environment variable: AWS_ACCESS_KEY Environment variable: AWS_ACCESS_KEY_ID
aws_profile aliases: boto_profile string	The AWS profile Configuration: Environment variable: AWS_DEFAULT_PROFILE Environment variable: AWS_PROFILE
aws_secret_key aliases: aws_secret_access_key string	The AWS secret key that corresponds to the access key. Configuration: Environment variable: EC2_SECRET_KEY Environment variable: AWS_SECRET_KEY Environment variable: AWS_SECRET_ACCESS_KEY
aws_security_token string	The AWS security token if using temporary access and secret keys. Configuration: Environment variable: EC2_SECURITY_TOKEN Environment variable: AWS_SESSION_TOKEN Environment variable: AWS_SECURITY_TOKEN
bypath boolean added in 1.4.0 of amazon.aws	A boolean to indicate whether the parameter is provided as a hierarchy. Choices: no ← (default) yes
join boolean	Join two or more entries to form an extended secret. This is useful for overcoming the 4096 character limit imposed by AWS. No effect when used with bypath. Choices: no ← (default) yes
nested boolean added in 1.4.0 of amazon.aws	A boolean to indicate the secret contains nested values. Choices: no ← (default) yes
on_denied string	Action to take if access to the secret is denied. error will raise a fatal error when access to the secret is denied. skip will silently ignore the denied secret. warn will skip over the denied secret but issue a warning. Choices: error ← (default) skip warn
on_missing string	Action to take if the secret is missing. error will raise a fatal error when the secret is missing. skip will silently ignore the missing secret. warn will skip over the missing secret but issue a warning. Choices: error ← (default) skip warn
region string	The region for which to create the connection. Configuration: Environment variable: EC2_REGION Environment variable: AWS_REGION
version_id string	Version of the secret(s).
version_stage string	Stage of the secret version.

Examples

- name: lookup secretsmanager secret in the current region
  debug: msg="{{ lookup('amazon.aws.aws_secret', '/path/to/secrets', bypath=true) }}"

- name: Create RDS instance with aws_secret lookup for password param
  rds:
    command: create
    instance_name: app-db
    db_engine: MySQL
    size: 10
    instance_type: db.m1.small
    username: dbadmin
    password: "{{ lookup('amazon.aws.aws_secret', 'DbSecret') }}"
    tags:
      Environment: staging

- name: skip if secret does not exist
  debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-not-exist', on_missing='skip')}}"

- name: warn if access to the secret is denied
  debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-denied', on_denied='warn')}}"

- name: lookup secretsmanager secret in the current region using the nested feature
  debug: msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', nested=true) }}"
  # The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`.
  # If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`.

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key	Description
_raw string	Returns the value of the secret stored in AWS Secrets Manager. Returned: success

Authors

• Aaron Smith <ajsmith10381@gmail.com>