.. _amazon.aws.aws_secret_lookup: ********************* amazon.aws.aws_secret ********************* **Look up secrets stored in AWS Secrets Manager.** .. contents:: :local: :depth: 1 Synopsis -------- - Look up secrets stored in AWS Secrets Manager provided the caller has the appropriate permissions to read the secret. - Lookup is based on the secret's *Name* value. - Optional parameters can be passed into this lookup; *version_id* and *version_stage* Requirements ------------ The below requirements are needed on the local Ansible controller node that executes this lookup. - python >= 3.6 - boto3 - botocore >= 1.18.0 Parameters ---------- .. raw:: html

Parameter	Choices/Defaults	Configuration	Comments
_terms - / required			Name of the secret to look up in AWS Secrets Manager.
aws_access_key string		env:EC2_ACCESS_KEY env:AWS_ACCESS_KEY env:AWS_ACCESS_KEY_ID	The AWS access key to use. aliases: aws_access_key_id
aws_profile string		env:AWS_DEFAULT_PROFILE env:AWS_PROFILE	The AWS profile aliases: boto_profile
aws_secret_key string		env:EC2_SECRET_KEY env:AWS_SECRET_KEY env:AWS_SECRET_ACCESS_KEY	The AWS secret key that corresponds to the access key. aliases: aws_secret_access_key
aws_security_token string		env:EC2_SECURITY_TOKEN env:AWS_SESSION_TOKEN env:AWS_SECURITY_TOKEN	The AWS security token if using temporary access and secret keys.
bypath boolean added in 1.4.0	Default: "no"		A boolean to indicate whether the parameter is provided as a hierarchy.
join boolean	Default: "no"		Join two or more entries to form an extended secret. This is useful for overcoming the 4096 character limit imposed by AWS. No effect when used with bypath.
nested boolean added in 1.4.0	Default: "no"		A boolean to indicate the secret contains nested values.
on_deleted string added in 2.0.0	Choices: error ← skip warn		Action to take if the secret has been marked for deletion. `error` will raise a fatal error when the secret has been marked for deletion. `skip` will silently ignore the deleted secret. `warn` will skip over the deleted secret but issue a warning.
on_denied string	Choices: error ← skip warn		Action to take if access to the secret is denied. `error` will raise a fatal error when access to the secret is denied. `skip` will silently ignore the denied secret. `warn` will skip over the denied secret but issue a warning.
on_missing string	Choices: error ← skip warn		Action to take if the secret is missing. `error` will raise a fatal error when the secret is missing. `skip` will silently ignore the missing secret. `warn` will skip over the missing secret but issue a warning.
region string		env:EC2_REGION env:AWS_REGION	The region for which to create the connection.
version_id -			Version of the secret(s).
version_stage -			Stage of the secret version.

Examples -------- .. code-block:: yaml - name: lookup secretsmanager secret in the current region debug: msg="{{ lookup('amazon.aws.aws_secret', '/path/to/secrets', bypath=true) }}" - name: Create RDS instance with aws_secret lookup for password param rds: command: create instance_name: app-db db_engine: MySQL size: 10 instance_type: db.m1.small username: dbadmin password: "{{ lookup('amazon.aws.aws_secret', 'DbSecret') }}" tags: Environment: staging - name: skip if secret does not exist debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-not-exist', on_missing='skip')}}" - name: warn if access to the secret is denied debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-denied', on_denied='warn')}}" - name: lookup secretsmanager secret in the current region using the nested feature debug: msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', nested=true) }}" # The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`. # If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`. - name: lookup secretsmanager secret in a specific region using specified region and aws profile using nested feature debug: > msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', region=region, aws_profile=aws_profile, aws_access_key=aws_access_key, aws_secret_key=aws_secret_key, nested=true) }}" # The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`. # If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`. # Region is the AWS region where the AWS secret is stored. # AWS_profile is the aws profile to use, that has access to the AWS secret. Return Values ------------- Common return values are documented `here `_, the following are the fields unique to this lookup: .. raw:: html

Key	Returned	Description
_raw -		Returns the value of the secret stored in AWS Secrets Manager.

Status ------ Authors ~~~~~~~ - Aaron Smith .. hint:: Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.