google.cloud.gcp_secret_manager lookup – Get Secrets from Google Cloud as a Lookup plugin

Note

This lookup plugin is part of the google.cloud collection (version 1.4.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install google.cloud.

To use it in a playbook, specify: google.cloud.gcp_secret_manager.

Synopsis

  • retrieve secret keys in Secret Manager for use in playbooks

  • see https://cloud.google.com/iam/docs/service-account-creds for details on creating credentials for Google Cloud and the format of such credentials

  • once a secret value is retreived, it is returned decoded. It is up to the developer to maintain secrecy of this value once returned.

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('google.cloud.gcp_secret_manager', key1=value1, key2=value2, ...) and query('google.cloud.gcp_secret_manager', key1=value1, key2=value2, ...)

Parameter

Comments

access_token

string

support for GCP Access Token

defaults to OS env variable GCP_ACCESS_TOKEN if not present

auth_kind

string

the type of authentication to use with Google Cloud (i.e. serviceaccount or machineaccount)

defaults to OS env variable GCP_AUTH_KIND if not present

key

aliases: name, secret, secret_id

string / required

the name of the secret to look up in Secret Manager

on_error

string

how to handle errors

strict means raise an exception

warn means warn, and return none

ignore means just return none

Choices:

  • "strict" ← (default)

  • "warn"

  • "ignore"

project

string

The name of the google cloud project

defaults to OS env variable GCP_PROJECT if not present

scopes

list / elements=string

Authenticaiton scopes for Google Secret Manager

Default: ["https://www.googleapis.com/auth/cloud-platform"]

service_account_email

string

email associated with the service account

defaults to OS env variable GCP_SERVICE_ACCOUNT_EMAIL if not present

service_account_file

string

JSON Credential file obtained from Google Cloud

defaults to OS env variable GCP_SERVICE_ACCOUNT_FILE if not present

see https://cloud.google.com/iam/docs/service-account-creds for details

service_account_info

jsonarg

JSON Object representing the contents of a service_account_file obtained from Google Cloud

defaults to OS env variable GCP_SERVICE_ACCOUNT_INFO if not present

version

string

the version name of your secret to retrieve

Default: "latest"

Examples

- name: Test secret using env variables for credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key') }}"

- name: Test secret using explicit credentials
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', project='project', auth_kind='serviceaccount', service_account_file='file.json') }}"

- name: Test getting specific version of a secret (old version)
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', version='1') }}"

- name: Test getting specific version of a secret (new version)
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', version='2') }}"

Return Value

Key

Description

Return value

list / elements=string

the contents of the secret requested (please use “no_log” to not expose this secret)

Returned: success

Authors

  • Dave Costakos

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.