amazon.aws.aws_ssm lookup – Get the value for a SSM parameter or all parameters under a path
Note
This lookup plugin is part of the amazon.aws collection (version 5.5.4).
To install it, use: ansible-galaxy collection install amazon.aws.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: amazon.aws.aws_ssm.
Synopsis
Get the value for an Amazon Simple Systems Manager parameter or a hierarchy of parameters. The first argument you pass the lookup can either be a parameter name or a hierarchy of parameters. Hierarchies start with a forward slash and end with the parameter name. Up to 5 layers may be specified.
If looking up an explicitly listed parameter by name which does not exist then the lookup will generate an error. You can use the ```default``` filter to give a default value in this case but must set the ```on_missing``` parameter to ```skip``` or ```warn```. You must also set the second parameter of the ```default``` filter to ```true``` (see examples below).
When looking up a path for parameters under it a dictionary will be returned for each path. If there is no parameter under that path then the lookup will generate an error.
If the lookup fails due to lack of permissions or due to an AWS client error then the aws_ssm will generate an error. If you want to continue in this case then you will have to set up two ansible tasks, one which sets a variable and ignores failures and one which uses the value of that variable with a default. See the examples below.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
python >= 3.6
boto3 >= 1.18.0
botocore >= 1.21.0
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following
examples: lookup('amazon.aws.aws_ssm', key1=value1, key2=value2, ...) and query('amazon.aws.aws_ssm', key1=value1, key2=value2, ...)
Parameter |
Comments |
|---|---|
A boolean to indicate whether the parameter is provided as a hierarchy. Choices:
|
|
A boolean to indicate whether to decrypt the parameter. Choices:
|
|
Use a custom endpoint when connecting to SSM service. |
|
Action to take if access to the SSM parameter is denied.
Choices:
|
|
Action to take if the SSM parameter is missing.
Choices:
|
|
A boolean to indicate whether to retrieve all parameters within a hierarchy. Choices:
|
|
Indicates whether to return the name only without path if using a parameter hierarchy. Choices:
|
Examples
# lookup sample:
- name: lookup ssm parameter store in the current region
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'Hello' ) }}"
- name: lookup ssm parameter store in specified region
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'Hello', region='us-east-2' ) }}"
- name: lookup ssm parameter store without decryption
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'Hello', decrypt=False ) }}"
- name: lookup ssm parameter store using a specified aws profile
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'Hello', aws_profile='myprofile' ) }}"
- name: lookup ssm parameter store using explicit aws credentials
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'Hello', aws_access_key=my_aws_access_key, aws_secret_key=my_aws_secret_key, aws_security_token=my_security_token ) }}" # noqa: E501
- name: lookup ssm parameter store with all options
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'Hello', decrypt=false, region='us-east-2', aws_profile='myprofile') }}"
- name: lookup ssm parameter and fail if missing
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'missing-parameter') }}"
- name: lookup a key which doesn't exist, returning a default ('root')
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'AdminID', on_missing="skip") | default('root', true) }}"
- name: lookup a key which doesn't exist failing to store it in a fact
set_fact:
temp_secret: "{{ lookup('amazon.aws.aws_ssm', '/NoAccess/hiddensecret') }}"
ignore_errors: true
- name: show fact default to "access failed" if we don't have access
debug: msg="{{ 'the secret was:' ~ temp_secret | default('could not access secret') }}"
- name: return a dictionary of ssm parameters from a hierarchy path
debug: msg="{{ lookup('amazon.aws.aws_ssm', '/PATH/to/params', region='ap-southeast-2', bypath=true, recursive=true ) }}"
- name: return a dictionary of ssm parameters from a hierarchy path with shortened names (param instead of /PATH/to/param)
debug: msg="{{ lookup('amazon.aws.aws_ssm', '/PATH/to/params', region='ap-southeast-2', shortnames=true, bypath=true, recursive=true ) }}"
- name: Iterate over a parameter hierarchy (one iteration per parameter)
debug: msg='Key contains {{ item.key }} , with value {{ item.value }}'
loop: "{{ lookup('amazon.aws.aws_ssm', '/demo/', region='ap-southeast-2', bypath=True) | dict2items }}"
- name: Iterate over multiple paths as dictionaries (one iteration per path)
debug: msg='Path contains {{ item }}'
loop: "{{ lookup('amazon.aws.aws_ssm', '/demo/', '/demo1/', bypath=True)}}"
- name: lookup ssm parameter warn if access is denied
debug: msg="{{ lookup('amazon.aws.aws_ssm', 'missing-parameter', on_denied="warn" ) }}"