amazon.aws.aws_secret – Look up secrets stored in AWS Secrets Manager.

Note

This plugin is part of the amazon.aws collection.

To install it use: ansible-galaxy collection install amazon.aws.

To use it in a playbook, specify: amazon.aws.aws_secret.

Synopsis

  • Look up secrets stored in AWS Secrets Manager provided the caller has the appropriate permissions to read the secret.

  • Lookup is based on the secret’s Name value.

  • Optional parameters can be passed into this lookup; version_id and version_stage

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • boto3

  • botocore>=1.10.0

Parameters

Parameter Choices/Defaults Configuration Comments
_terms
string / required
Name of the secret to look up in AWS Secrets Manager.
aws_access_key
string
env:EC2_ACCESS_KEY
env:AWS_ACCESS_KEY
env:AWS_ACCESS_KEY_ID
The AWS access key to use.

aliases: aws_access_key_id
aws_profile
string
env:AWS_DEFAULT_PROFILE
env:AWS_PROFILE
The AWS profile

aliases: boto_profile
aws_secret_key
string
env:EC2_SECRET_KEY
env:AWS_SECRET_KEY
env:AWS_SECRET_ACCESS_KEY
The AWS secret key that corresponds to the access key.

aliases: aws_secret_access_key
aws_security_token
string
env:EC2_SECURITY_TOKEN
env:AWS_SESSION_TOKEN
env:AWS_SECURITY_TOKEN
The AWS security token if using temporary access and secret keys.
join
boolean
    Choices:
  • no ←
  • yes
Join two or more entries to form an extended secret.
This is useful for overcoming the 4096 character limit imposed by AWS.
region
string
env:EC2_REGION
env:AWS_REGION
The region for which to create the connection.
version_id
string
Version of the secret(s).
version_stage
string
Stage of the secret version.

Examples

- name: Create RDS instance with aws_secret lookup for password param
  rds:
    command: create
    instance_name: app-db
    db_engine: MySQL
    size: 10
    instance_type: db.m1.small
    username: dbadmin
    password: "{{ lookup('aws_secret', 'DbSecret') }}"
    tags:
      Environment: staging

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key Returned Description
_raw
string
success
Returns the value of the secret stored in AWS Secrets Manager.



Authors