Try SpotterManage secrets stored in AWS Secrets Manager
| "added in version" 1.0.0 of community.aws"
Authors: REY Remi (@rrey)
Install with ansible-galaxy collection install community.aws:==5.1.0
collections:
- name: community.aws
version: 5.1.0Create, update, and delete secrets stored in AWS Secrets Manager.
Prior to release 5.0.0 this module was called C(community.aws.aws_secret). The usage did not change.
- name: Add string to AWS Secrets Manager
community.aws.secretsmanager_secret:
name: 'test_secret_string'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
- name: Add a secret with resource policy attached
community.aws.secretsmanager_secret:
name: 'test_secret_string'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
resource_policy: "{{ lookup('template', 'templates/resource_policy.json.j2', convert_data=False) | string }}"
- name: remove string from AWS Secrets Manager
community.aws.secretsmanager_secret:
name: 'test_secret_string'
state: absent
secret_type: 'string'
secret: "{{ super_secret_string }}"
name:
description:
- Friendly name for the secret you are creating.
required: true
type: str
tags:
aliases:
- resource_tags
description:
- A dictionary representing the tags to be applied to the resource.
- If the I(tags) parameter is not set then tags will not be modified.
required: false
type: dict
state:
choices:
- present
- absent
default: present
description:
- Whether the secret should be exist or not.
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
secret:
default: ''
description:
- Specifies string or binary data that you want to encrypt and store in the new version
of the secret.
- Mutually exclusive with the I(json_secret) option.
type: str
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
kms_key_id:
description:
- Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to
encrypt the I(secret) values in the versions stored in this secret.
type: str
purge_tags:
default: true
description:
- If I(purge_tags=true) and I(tags) is set, existing tags will be purged from the
resource to match exactly what is defined by I(tags) parameter.
- If the I(tags) parameter is not set then tags will not be modified, even if I(purge_tags=True).
- Tag keys beginning with C(aws:) are reserved by Amazon and can not be modified. As
such they will be ignored for the purposes of the I(purge_tags) parameter. See
the Amazon documentation for more information U(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions).
required: false
type: bool
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
description:
default: ''
description:
- Specifies a user-provided description of the secret.
type: str
json_secret:
description:
- Specifies JSON-formatted data that you want to encrypt and store in the new version
of the secret.
- Mutually exclusive with the I(secret) option.
type: json
version_added: 4.1.0
version_added_collection: community.aws
secret_type:
choices:
- binary
- string
default: string
description:
- Specifies the type of data that you want to encrypt.
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
recovery_window:
default: 30
description:
- Only used if state is absent.
- Specifies the number of days that Secrets Manager waits before it can delete the
secret.
- If set to 0, the deletion is forced without recovery.
type: int
resource_policy:
description:
- Specifies JSON-formatted resource policy to attach to the secret. Useful when granting
cross-account access to secrets.
required: false
type: json
version_added: 3.1.0
version_added_collection: community.aws
rotation_lambda:
description:
- Specifies the ARN of the Lambda function that can rotate the secret.
type: str
rotation_interval:
default: 30
description:
- Specifies the number of days between automatic scheduled rotations of the secret.
type: int
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
secret:
contains:
arn:
description: The ARN of the secret.
returned: always
sample: arn:aws:secretsmanager:eu-west-1:xxxxxxxxxx:secret:xxxxxxxxxxx
type: str
description:
description: A description of the secret.
returned: when the secret has a description
sample: An example description
type: str
last_accessed_date:
description: The date the secret was last accessed.
returned: always
sample: '2018-11-20T01:00:00+01:00'
type: str
last_changed_date:
description: The date the secret was last modified.
returned: always
sample: '2018-11-20T12:16:38.433000+01:00'
type: str
name:
description: The secret name.
returned: always
sample: my_secret
type: str
rotation_enabled:
description: The secret rotation status.
returned: always
sample: false
type: bool
tags:
contains:
key:
description: The name or key of the tag.
example: MyTag
returned: success
type: str
value:
description: The value of the tag.
example: Some value.
returned: success
type: str
description:
- A list of dictionaries representing the tags associated with the secret in
the standard boto3 format.
elements: dict
returned: when the secret has tags
type: list
tags_dict:
description: A dictionary representing the tags associated with the secret.
example:
MyTagName: Some Value
returned: when the secret has tags
type: dict
version_added: 4.0.0
version_added_collection: community.aws
version_ids_to_stages:
description: Provide the secret version ids and the associated secret stage.
returned: always
sample:
dc1ed59b-6d8e-4450-8b41-536dfe4600a9:
- AWSCURRENT
type: dict
description: The secret information
returned: always
type: complex