amazon.aws.aws_secret – Look up secrets stored in AWS Secrets Manager.

Note

This plugin is part of the amazon.aws collection (version 1.3.0).

To install it use: ansible-galaxy collection install amazon.aws.

To use it in a playbook, specify: amazon.aws.aws_secret.

Synopsis
Requirements
Parameters
Examples
Return Values

Synopsis

Look up secrets stored in AWS Secrets Manager provided the caller has the appropriate permissions to read the secret.
Lookup is based on the secret’s Name value.
Optional parameters can be passed into this lookup; version_id and version_stage

Requirements

The below requirements are needed on the local controller node that executes this lookup.

boto3
botocore>=1.10.0

Parameters

Parameter	Choices/Defaults	Configuration	Comments
_terms string / required			Name of the secret to look up in AWS Secrets Manager.
aws_access_key string		env:EC2_ACCESS_KEY env:AWS_ACCESS_KEY env:AWS_ACCESS_KEY_ID	The AWS access key to use. aliases: aws_access_key_id
aws_profile string		env:AWS_DEFAULT_PROFILE env:AWS_PROFILE	The AWS profile aliases: boto_profile
aws_secret_key string		env:EC2_SECRET_KEY env:AWS_SECRET_KEY env:AWS_SECRET_ACCESS_KEY	The AWS secret key that corresponds to the access key. aliases: aws_secret_access_key
aws_security_token string		env:EC2_SECURITY_TOKEN env:AWS_SESSION_TOKEN env:AWS_SECURITY_TOKEN	The AWS security token if using temporary access and secret keys.
join boolean	no ← yes		Join two or more entries to form an extended secret. This is useful for overcoming the 4096 character limit imposed by AWS.
on_denied string	error ← skip warn		Action to take if access to the secret is denied. `error` will raise a fatal error when access to the secret is denied. `skip` will silently ignore the denied secret. `warn` will skip over the denied secret but issue a warning.
on_missing string	error ← skip warn		Action to take if the secret is missing. `error` will raise a fatal error when the secret is missing. `skip` will silently ignore the missing secret. `warn` will skip over the missing secret but issue a warning.
region string		env:EC2_REGION env:AWS_REGION	The region for which to create the connection.
version_id string			Version of the secret(s).
version_stage string			Stage of the secret version.

Examples

- name: Create RDS instance with aws_secret lookup for password param
  rds:
    command: create
    instance_name: app-db
    db_engine: MySQL
    size: 10
    instance_type: db.m1.small
    username: dbadmin
    password: "{{ lookup('aws_secret', 'DbSecret') }}"
    tags:
      Environment: staging

- name: skip if secret does not exist
  debug: msg="{{ lookup('aws_secret', 'secret-not-exist', on_missing='skip')}}"

- name: warn if access to the secret is denied
  debug: msg="{{ lookup('aws_secret', 'secret-denied', on_denied='warn')}}"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key	Returned	Description
_raw string	success	Returns the value of the secret stored in AWS Secrets Manager.

Authors

Aaron Smith <[email protected]>

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/amazon/aws/aws_secret_lookup.html