amazon.aws.aws_secret lookup – Look up secrets stored in AWS Secrets Manager.
Note
This lookup plugin is part of the amazon.aws collection (version 2.3.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install amazon.aws.
To use it in a playbook, specify: amazon.aws.aws_secret.
Synopsis
Look up secrets stored in AWS Secrets Manager provided the caller has the appropriate permissions to read the secret.
Lookup is based on the secret’s Name value.
Optional parameters can be passed into this lookup; version_id and version_stage
Requirements
The below requirements are needed on the local controller node that executes this lookup.
python >= 3.6
boto3 >= 1.15.0
botocore >= 1.18.0
Parameters
Parameter |
Comments |
|---|---|
Name of the secret to look up in AWS Secrets Manager. |
|
The AWS access key to use. Configuration:
|
|
The AWS profile Configuration:
|
|
The AWS secret key that corresponds to the access key. Configuration:
|
|
The AWS security token if using temporary access and secret keys. Configuration:
|
|
A boolean to indicate whether the parameter is provided as a hierarchy. Choices:
|
|
Join two or more entries to form an extended secret. This is useful for overcoming the 4096 character limit imposed by AWS. No effect when used with bypath. Choices:
|
|
A boolean to indicate the secret contains nested values. Choices:
|
|
Action to take if the secret has been marked for deletion.
Choices:
|
|
Action to take if access to the secret is denied.
Choices:
|
|
Action to take if the secret is missing.
Choices:
|
|
The region for which to create the connection. Configuration:
|
|
Version of the secret(s). |
|
Stage of the secret version. |
Examples
- name: lookup secretsmanager secret in the current region
debug: msg="{{ lookup('amazon.aws.aws_secret', '/path/to/secrets', bypath=true) }}"
- name: Create RDS instance with aws_secret lookup for password param
rds:
command: create
instance_name: app-db
db_engine: MySQL
size: 10
instance_type: db.m1.small
username: dbadmin
password: "{{ lookup('amazon.aws.aws_secret', 'DbSecret') }}"
tags:
Environment: staging
- name: skip if secret does not exist
debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-not-exist', on_missing='skip')}}"
- name: warn if access to the secret is denied
debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-denied', on_denied='warn')}}"
- name: lookup secretsmanager secret in the current region using the nested feature
debug: msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', nested=true) }}"
# The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`.
# If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`.
- name: lookup secretsmanager secret in a specific region using specified region and aws profile using nested feature
debug: >
msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', region=region, aws_profile=aws_profile,
aws_access_key=aws_access_key, aws_secret_key=aws_secret_key, nested=true) }}"
# The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`.
# If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`.
# Region is the AWS region where the AWS secret is stored.
# AWS_profile is the aws profile to use, that has access to the AWS secret.
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key |
Description |
|---|---|
Returns the value of the secret stored in AWS Secrets Manager. Returned: success |
Authors
Aaron Smith
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.