GCP Secret Manager Ansible library

google_secret_manager.py

#!/usr/bin/env python
from google.cloud import secretmanager
from ansible.module_utils.basic import AnsibleModule


def main():
    module = AnsibleModule(
        argument_spec=dict(
            name=dict(required=True),
            version=dict(default='latest'),
            gcp_project=dict(required=True),
            state=dict(default='info', choices=['info'])
        ),
        supports_check_mode=True
    )

    result = dict(
        changed=False,
        state=module.params['state']
    )

    gcp_project = module.params['gcp_project']
    secret_name = module.params['name']
    secret_version = module.params['version']
    data = _get_secret_plaintext(gcp_project, secret_name, secret_version)

    if module.check_mode:
        module.exit_json(**result)

    if module.params['state'] == 'info':
        result['data'] = data
        result['msg'] = 'Read the secret successfully'

    module.exit_json(**result)


def _get_secret_plaintext(gcp_project, secret_name, version):
    # Build GCP secret id with this format
    secret_id = f"projects/{gcp_project}/secrets/{secret_name}/versions/{version}"

    # Create the Secret Manager client
    client = secretmanager.SecretManagerServiceClient()

    # Get the response from Secret Manager API and decode it
    response = client.access_secret_version(request={"name": secret_id})
    plaintext = response.payload.data.decode("UTF-8")

    return plaintext


if __name__ == '__main__':
    main()

Put the file in library directory then you can use it with

    - name: Get token
      google_secret_manager:
        name: my-token
        gcp_project: my-gcp-project
        version: latest
      register: token