Note
This plugin is part of the amazon.aws collection (version 1.5.1).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install amazon.aws
.
To use it in a playbook, specify: amazon.aws.aws_secret
.
The below requirements are needed on the local controller node that executes this lookup.
Parameter | Choices/Defaults | Configuration | Comments |
---|---|---|---|
_terms string / required | Name of the secret to look up in AWS Secrets Manager. | ||
aws_access_key string | env:EC2_ACCESS_KEY env:AWS_ACCESS_KEY env:AWS_ACCESS_KEY_ID | The AWS access key to use. aliases: aws_access_key_id | |
aws_profile string | env:AWS_DEFAULT_PROFILE env:AWS_PROFILE | The AWS profile aliases: boto_profile | |
aws_secret_key string | env:EC2_SECRET_KEY env:AWS_SECRET_KEY env:AWS_SECRET_ACCESS_KEY | The AWS secret key that corresponds to the access key. aliases: aws_secret_access_key | |
aws_security_token string | env:EC2_SECURITY_TOKEN env:AWS_SESSION_TOKEN env:AWS_SECURITY_TOKEN | The AWS security token if using temporary access and secret keys. | |
bypath boolean added in 1.4.0 of amazon.aws |
| A boolean to indicate whether the parameter is provided as a hierarchy. | |
join boolean |
| Join two or more entries to form an extended secret. This is useful for overcoming the 4096 character limit imposed by AWS. No effect when used with bypath. | |
nested boolean added in 1.4.0 of amazon.aws |
| A boolean to indicate the secret contains nested values. | |
on_denied string |
| Action to take if access to the secret is denied. error will raise a fatal error when access to the secret is denied.skip will silently ignore the denied secret.warn will skip over the denied secret but issue a warning. | |
on_missing string |
| Action to take if the secret is missing. error will raise a fatal error when the secret is missing.skip will silently ignore the missing secret.warn will skip over the missing secret but issue a warning. | |
region string | env:EC2_REGION env:AWS_REGION | The region for which to create the connection. | |
version_id string | Version of the secret(s). | ||
version_stage string | Stage of the secret version. |
- name: lookup secretsmanager secret in the current region debug: msg="{{ lookup('amazon.aws.aws_secret', '/path/to/secrets', bypath=true) }}" - name: Create RDS instance with aws_secret lookup for password param rds: command: create instance_name: app-db db_engine: MySQL size: 10 instance_type: db.m1.small username: dbadmin password: "{{ lookup('amazon.aws.aws_secret', 'DbSecret') }}" tags: Environment: staging - name: skip if secret does not exist debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-not-exist', on_missing='skip')}}" - name: warn if access to the secret is denied debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-denied', on_denied='warn')}}" - name: lookup secretsmanager secret in the current region using the nested feature debug: msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', nested=true) }}" # The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`. # If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`.
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw string | success | Returns the value of the secret stored in AWS Secrets Manager. |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_secret_lookup.html