# -*- coding: utf-8 -*- # Copyright: (c) 2020, Pavlo Bashynskyi (@levonet) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import (absolute_import, division, print_function) __metaclass__ = type DOCUMENTATION = r""" --- lookup: gcp_secret_access author: - Pavlo Bashynskyi (@levonet) short_description: Retrieve secrets from GCP Secret Manager requirements: - python >= 2.7 - google-auth >= 1.26.0 - google-cloud-secret-manager >= 1.0.0 description: - Retrieve secret contents from GCP Secret Manager. - Accessing to secret content requires the Secret Manager Secret Accessor role (C(roles/secretmanager.secretAccessor)) on the secret, project, folder, or organization. options: secret: description: - Secret name or resource id. Resource id should be in format C(projects/*/secrets/*/versions/*). - The project option is required if a secret name is used instead of resource id. required: True type: str version: description: Version id of secret. You can also access the latest version of a secret by specifying "C(latest)" as the version. type: str default: latest project: description: The Google Cloud Platform project to use. type: str env: - name: GCP_PROJECT access_token: description: - The Google Cloud access token. If specified, C(service_account_file) will be ignored. type: str env: - name: GCP_ACCESS_TOKEN service_account_file: description: - The path of a Service Account JSON file if serviceaccount is selected as type. type: path env: - name: GOOGLE_APPLICATION_CREDENTIALS - name: GCP_SERVICE_ACCOUNT_FILE notes: - When I(secret) is the first option in the term string, C(secret=) is not required (see examples). - If you’re running your application elsewhere, you should download a service account JSON keyfile and point to it using the secret option or an environment variable C(GOOGLE_APPLICATION_CREDENTIALS="/path/to/keyfile.json"). """ EXAMPLES = r""" - ansible.builtin.debug: msg: "{{ lookup('google.cloud.gcp_secret_access', secret='hola', project='test_project') }}" - ansible.builtin.debug: msg: "{{ lookup('google.cloud.gcp_secret_access', 'hola', project='test_project') }}" - name: using resource id instead of secret name ansible.builtin.debug: msg: "{{ lookup('google.cloud.gcp_secret_access', 'projects/112233445566/secrets/hola/versions/1') }}" - name: using service account file ansible.builtin.debug: msg: "{{ lookup('google.cloud.gcp_secret_access', 'hola', project='test_project', service_account_file='/path/to/keyfile.json') }}" """ RETURN = r""" _raw: description: - secrets requested """ from ansible.errors import AnsibleError from ansible.plugins.lookup import LookupBase from ansible_collections.google.cloud.plugins.plugin_utils.gcp_utils import GcpSecretLookup try: from google.cloud import secretmanager HAS_GOOGLE_SECRET_MANAGER_LIBRARY = True except ImportError: HAS_GOOGLE_SECRET_MANAGER_LIBRARY = False class GcpSecretAccessLookup(GcpSecretLookup): def run(self, terms, variables=None, **kwargs): self.set_plugin_name('google.cloud.gcp_secret_access') self.process_options(terms, variables=None, **kwargs) response = self.client(secretmanager).access_secret_version(request={"name": self.name}) payload = response.payload.data.decode("UTF-8") return [payload] class LookupModule(LookupBase): def run(self, terms, variables=None, **kwargs): if not HAS_GOOGLE_SECRET_MANAGER_LIBRARY: raise AnsibleError("Please install the google-cloud-secret-manager Python library") return GcpSecretAccessLookup().run(terms, variables=variables, **kwargs)