Skip to content

AWS Secrets Manager AWS Secrets Manager: Secrets Manager

Summary

This module contains actions for reading, creating, & updating secrets in AWS Secrets Manager.

PPA Appliance & Vault Requirements

This plugin requires PPA version 2.7.1 or later.

You must have an AWS Secrets Manager provisioned as a Vault inside PPA to use this plugin.

Actions

aws_secrets_manager.secrets.

create

Create a new secret.

Minimum Plugin Version: 2.0.0

Input

  • name: the name of the secret

  • data: a dictionary containing the secret keys & values

  • tags: optional dictionary containing tags for the secret (defaults to empty)

  • description: optional description for the secret (defaults to empty)

  • secrets_manager: the name of the AWS Secrets Manager (required if multiple are configured)

Output

Nothing is outputted by this action.

Example
1
2
3
4
5
6
7
8
- aws_secrets_manager.secrets.create:
    name: slack-webhook
    data:
      slack_webhook_url: "{{ webhook_url }}"
    tags:
      team: engineering
      environment: production
    description: Engineering Slack channel incoming webhook url

aws_secrets_manager.secrets.

delete

Delete a secret.

Minimum Plugin Version: 2.0.0

Input

  • secret: the secret to delete

  • force: set to true to force delete the secret with no recovery (defaults to false)

  • recovery_days: optional number of days to set as the recovery period (defaults to 30)

  • secrets_manager: the name of the AWS Secrets Manager (required if multiple are configured)

Force Deletion & Recovery

You cannot supply both the force & recovery_days inputs.

Output

Nothing is outputted by this action.

Example
1
2
3
- aws_secrets_manager.secrets.delete:
    secret: slack-webhook
    recovery_days: 14

aws_secrets_manager.secrets.

list

List all secrets.

This action only shows which secrets exist, it does not reveal any sensitive secret data.

Minimum Plugin Version: 2.0.0

Input
  • secrets_manager: the name of the AWS Secrets Manager (required if multiple are configured)
Output

A list of ListedSecret dictionaries.

Example
1
2
- aws_secrets_manager.secrets.list:
  save: secret_list

aws_secrets_manager.secrets.

read

Read a secret.

Minimum Plugin Version: 2.0.0

Input

  • secret: the name of the secret

  • secrets_manager: the name of the AWS Secrets Manager (required if multiple are configured)

Output

A single Secret.

Example
1
2
3
- aws_secrets_manager.secrets.read:
    secret: ansible_runner_key
  save: secret

aws_secrets_manager.secrets.

update

Create a new version of the secret with the supplied data.

Minimum Plugin Version: 2.0.0

Input

  • name: the secret to update

  • data: a dictionary containing the secret keys & values

  • secrets_manager: the name of the AWS Secrets Manager (required if multiple are configured)

Updating Secrets

This action creates a new secret version containing only the keys & values supplied in data.

Any keys that exist in the current secret will not exist in the new version unless a value is supplied.

Output

Nothing is outputted by this action.

Example
1
2
3
4
- aws_secrets_manager.secrets.update:
    secret: slack-webhook
    data:
      slack_webhook_url: "{{ webhook_url }}"