ANSIBLE ROLE for GCP SECRET MANAGER

This Ansible role helps you retrieve secrets from Google Cloud Platform's Secret Manager and save them into specified files.

Requirements

• Ensure you are authenticated and have access to the correct Google Cloud project.
• Have your secrets stored in GCP Secret Manager.
• Enable the Secret Manager API:

$ gcloud services list --available | grep Secret
secretmanager.googleapis.com
$ gcloud services enable secretmanager.googleapis.com

Role Variables

You need to define the gcp_secrets variable as a dictionary:

gcp_secrets:
  SECRET_NAME_1: 
    name: SECRET_NAME_1  # Exact name in GCP Secret Manager
    file_path: "/PATH/TO/TARGET_FILE/SECRET_NAME"
    file_owner: USER      # User who owns the file
    file_group: USER      # Group owner (default is "file_owner" if not specified)
    file_mode: '0400'     # File permissions (keep it secure)
  SECRET_NAME_2:
    name: SECRET_NAME_2
    file_path: "/PATH/TO/TARGET_FILE/SECRET_NAME"
    file_owner: USER
    file_mode: '0644'
  SECRET_NAME_N:
    name: SECRET_NAME_N
    file_path: "/PATH/TO/TARGET_FILE/SECRET_NAME"
    file_owner: USER
    file_mode: '0600'

Dependencies

There are no dependencies required for this role.

Example Playbook

Here is a sample playbook that demonstrates how to use the role:

- hosts: web-servers
  vars:
    gcp_secrets:
      database:
        name: MYSQL_PASSWORD
        file_path: "/srv/mysql_pwd"
        file_owner: root
        file_group: root
        file_mode: '0400'
      nexus:
        name: NEXUS_PASSWORD
        file_path: "/srv/nexus_pwd"
        file_owner: root
        file_mode: '0400'
  roles:
    - gcp_secret_manager

What to Improve

• Add functionality to manage secrets: add, edit, delete
• Allow editing of secret properties (version, replication, location, labels, iam)

License

This project is licensed under the Apache License.

Author Information

Created by Niaina Lens in September 2022.