aws_secret – Look up secrets stored in AWS Secrets Manager

New in version 2.8.

Synopsis

• Look up secrets stored in AWS Secrets Manager provided the caller has the appropriate permissions to read the secret.

• Lookup is based on the secret’s Name value.

• Optional parameters can be passed into this lookup; version_id and version_stage

Requirements

The below requirements are needed on the local master node that executes this lookup.

• boto3

• botocore>=1.10.0

Parameters

Parameter	Choices/Defaults	Configuration	Comments
_terms - / required			Name of the secret to look up in AWS Secrets Manager.
aws_access_key string		env:EC2_ACCESS_KEY env:AWS_ACCESS_KEY env:AWS_ACCESS_KEY_ID	The AWS access key to use. aliases: aws_access_key_id
aws_profile string		env:AWS_DEFAULT_PROFILE env:AWS_PROFILE	The AWS profile aliases: boto_profile
aws_secret_key string		env:EC2_SECRET_KEY env:AWS_SECRET_KEY env:AWS_SECRET_ACCESS_KEY	The AWS secret key that corresponds to the access key. aliases: aws_secret_access_key
aws_security_token string		env:EC2_SECURITY_TOKEN env:AWS_SESSION_TOKEN env:AWS_SECURITY_TOKEN	The AWS security token if using temporary access and secret keys.
join boolean	Default: "no"		Join two or more entries to form an extended secret. This is useful for overcoming the 4096 character limit imposed by AWS.
region string		env:EC2_REGION env:AWS_REGION	The region for which to create the connection.
version_id -			Version of the secret(s).
version_stage -			Stage of the secret version.

Examples

- name: Create RDS instance with aws_secret lookup for password param
  rds:
    command: create
    instance_name: app-db
    db_engine: MySQL
    size: 10
    instance_type: db.m1.small
    username: dbadmin
    password: "{{ lookup('aws_secret', 'DbSecret') }}"
    tags:
      Environment: staging

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key	Returned	Description
_raw -		Returns the value of the secret stored in AWS Secrets Manager.

Status

• This lookup is not guaranteed to have a backwards compatible interface. [preview]

• This lookup is maintained by the Ansible Community. [community]

Authors

• Aaron Smith <ajsmith10381@gmail.com>

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.