google.cloud.gcp_parameter_manager lookup – Get Parameters from Google Cloud as a Lookup plugin

Note

This lookup plugin is part of the google.cloud collection (version 1.7.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install google.cloud.

To use it in a playbook, specify: google.cloud.gcp_parameter_manager.

Synopsis

  • retrieve parameter keys in parameter Manager for use in playbooks

  • see https://cloud.google.com/iam/docs/service-account-creds for details on creating credentials for Google Cloud and the format of such credentials

  • once a parameter value is retreived, it is returned decoded. It is up to the developer to maintain secrecy of this value once returned.

  • if location option is defined, then it deals with the regional parameters of the location

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('google.cloud.gcp_parameter_manager', key1=value1, key2=value2, ...) and query('google.cloud.gcp_parameter_manager', key1=value1, key2=value2, ...)

Parameter

Comments

access_token

string

support for GCP Access Token

defaults to OS env variable GCP_ACCESS_TOKEN if not present

auth_kind

string

the type of authentication to use with Google Cloud (i.e. serviceaccount or machineaccount)

defaults to OS env variable GCP_AUTH_KIND if not present

key

aliases: name, parameter, parameter_id

string / required

the name of the parameter to look up in parameter Manager

location

string

If provided, it defines the location of the regional parameter.

on_error

string

how to handle errors

strict means raise an exception

warn means warn, and return none

ignore means just return none

Choices:

  • "strict" ← (default)

  • "warn"

  • "ignore"

project

string

The name of the google cloud project

defaults to OS env variable GCP_PROJECT if not present

render_secret

boolean

support for rendering secrets

defaults to false if not present

Choices:

  • false

  • true

scopes

list / elements=string

Authenticaiton scopes for Google parameter Manager

Default: ["https://www.googleapis.com/auth/cloud-platform"]

service_account_email

string

email associated with the service account

defaults to OS env variable GCP_SERVICE_ACCOUNT_EMAIL if not present

service_account_file

string

JSON Credential file obtained from Google Cloud

defaults to OS env variable GCP_SERVICE_ACCOUNT_FILE if not present

see https://cloud.google.com/iam/docs/service-account-creds for details

service_account_info

dictionary

JSON Object representing the contents of a service_account_file obtained from Google Cloud

defaults to OS env variable GCP_SERVICE_ACCOUNT_INFO if not present

version

string

the version name of your parameter to retrieve

Examples

- name: Test parameter using env variables for credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', version='test_version') }}"

- name: Test parameter using explicit credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', version='test_version', project='project', auth_kind='serviceaccount',
                    service_account_file='file.json') }}"

- name: Test getting specific version of a parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', version='test-version') }}"

- name: Test getting latest version of a parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key') }}"

- name: Test render specific version of a parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', version='test-version', render_secret=True) }}"

- name: Test render latest version of a parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', render_secret=True) }}"

- name: Test regional parameter using env variables for credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', location='us-central1', version='test_version') }}"

- name: Test regional parameter using explicit credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', location='us-central1', version='test_version', project='project',
                    auth_kind='serviceaccount', service_account_file='file.json') }}"

- name: Test getting specific version of a regional parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', location='us-central1', version='test_version') }}"

- name: Test getting latest version of a regional parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', location='us-central1') }}"

- name: Test render specific version of a regional parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', location='us-central1', version='test_version', render_secret=True) }}"

- name: Test render latest version of a regional parameter
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_parameter_manager', key='parameter_key', location='us-central1', render_secret=True) }}"

Return Value

Key

Description

Return value

list / elements=string

the contents of the parameter requested (please use “no_log” to not expose this parameter)

Returned: success

Authors

  • Google Inc. (@googlecloudplatform)