Try SpotterManage secrets stored in AWS Secrets Manager.
| "added in version" 1.0.0 of community.aws"
Authors: REY Remi (@rrey)
Install with ansible-galaxy collection install community.aws:==3.4.0
collections:
- name: community.aws
version: 3.4.0Create, update, and delete secrets stored in AWS Secrets Manager.
- name: Add string to AWS Secrets Manager
community.aws.aws_secret:
name: 'test_secret_string'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
- name: Add a secret with resource policy attached
community.aws.aws_secret:
name: 'test_secret_string'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
resource_policy: "{{ lookup('template', 'templates/resource_policy.json.j2', convert_data=False) | string }}"
- name: remove string from AWS Secrets Manager
community.aws.aws_secret:
name: 'test_secret_string'
state: absent
secret_type: 'string'
secret: "{{ super_secret_string }}"
name:
description:
- Friendly name for the secret you are creating.
required: true
type: str
tags:
description:
- Specifies a list of user-defined tags that are attached to the secret.
type: dict
state:
choices:
- present
- absent
default: present
description:
- Whether the secret should be exist or not.
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION
environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region)
type: str
secret:
default: ''
description:
- Specifies string or binary data that you want to encrypt and store in the new version
of the secret.
type: str
ec2_url:
aliases:
- aws_endpoint_url
- endpoint_url
description:
- URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will
use EC2 endpoints). Ignored for modules where region is required. Must be specified
for all other modules if region is not used. If not set then the value of the EC2_URL
environment variable, if any, is used.
type: str
profile:
aliases:
- aws_profile
description:
- Using I(profile) will override I(aws_access_key), I(aws_secret_key) and I(security_token)
and support for passing them at the same time as I(profile) has been deprecated.
- I(aws_access_key), I(aws_secret_key) and I(security_token) will be made mutually
exclusive with I(profile) after 2022-06-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
- Only the 'user_agent' key is used for boto modules. See U(http://boto.cloudhackers.com/en/latest/boto_config_tut.html#boto)
for more boto configuration.
type: dict
kms_key_id:
description:
- Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to
encrypt the I(secret) values in the versions stored in this secret.
type: str
description:
description:
- Specifies a user-provided description of the secret.
type: str
secret_type:
choices:
- binary
- string
default: string
description:
- Specifies the type of data that you want to encrypt.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- Not used by boto 2 based modules.
- 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied
from the controller if not run locally.'
type: path
aws_access_key:
aliases:
- ec2_access_key
- access_key
description:
- C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY)
or C(EC2_ACCESS_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_access_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
aws_secret_key:
aliases:
- ec2_secret_key
- secret_key
description:
- C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY),
or C(EC2_SECRET_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_secret_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
security_token:
aliases:
- aws_security_token
- access_token
description:
- C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN)
or C(EC2_SECURITY_TOKEN) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(security_token) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
validate_certs:
default: true
description:
- When set to "no", SSL certificates will not be validated for communication with
the AWS APIs.
type: bool
recovery_window:
default: 30
description:
- Only used if state is absent.
- Specifies the number of days that Secrets Manager waits before it can delete the
secret.
- If set to 0, the deletion is forced without recovery.
type: int
resource_policy:
description:
- Specifies JSON-formatted resource policy to attach to the secret. Useful when granting
cross-account access to secrets.
required: false
type: json
version_added: 3.1.0
version_added_collection: community.aws
rotation_lambda:
description:
- Specifies the ARN of the Lambda function that can rotate the secret.
type: str
rotation_interval:
default: 30
description:
- Specifies the number of days between automatic scheduled rotations of the secret.
type: int
debug_botocore_endpoint_logs:
default: 'no'
description:
- Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action"
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the aws_resource_action callback to output to total list made
during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also
be used.
type: bool
secret:
contains:
arn:
description: The ARN of the secret
returned: always
sample: arn:aws:secretsmanager:eu-west-1:xxxxxxxxxx:secret:xxxxxxxxxxx
type: str
last_accessed_date:
description: The date the secret was last accessed
returned: always
sample: '2018-11-20T01:00:00+01:00'
type: str
last_changed_date:
description: The date the secret was last modified.
returned: always
sample: '2018-11-20T12:16:38.433000+01:00'
type: str
name:
description: The secret name.
returned: always
sample: my_secret
type: str
rotation_enabled:
description: The secret rotation status.
returned: always
sample: false
type: bool
version_ids_to_stages:
description: Provide the secret version ids and the associated secret stage.
returned: always
sample:
dc1ed59b-6d8e-4450-8b41-536dfe4600a9:
- AWSCURRENT
type: dict
description: The secret information
returned: always
type: complex