Is it always possible to get secret from secret manager ? #662
Description
Hi ! I try a simple ansible task to get secret with lookup method but in both case machineaccount and serviceaccount it failed
ISSUE TYPE
- Bug Report
ANSIBLE VERSION
ansible [core 2.17.3]
COLLECTION VERSION
name: google.cloud
version: "1.4.1"
OS / ENVIRONMENT
Ubuntu 24
STEPS TO REPRODUCE
- name: Test secret
debug:
msg: "debug secret : {{ lookup('google.cloud.gcp_secret_manager', auth_kind='machineaccount', key='MY_PRIVATE_VAR', project='my-projects', version='1') }}"
#- name: additional task to test with service account but i prefere machine account
# debug:
# msg: "debug secret : {{ lookup('google.cloud.gcp_secret_manager', auth_kind='serviceaccount', service_account_file='/home/xxx/test.json', key='MY_PRIVATE_VAR', project='my-projects', version='1') }}"EXPECTED RESULTS
get my secret
ACTUAL RESULTS
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/compute_engine/credentials.py", line 126, in refresh
self._retrieve_info(request)
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/compute_engine/credentials.py", line 99, in _retrieve_info
info = _metadata.get_service_account_info(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/compute_engine/_metadata.py", line 330, in get_service_account_info
return get(request, path, params={"recursive": "true"})
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/compute_engine/_metadata.py", line 229, in get
raise exceptions.TransportError(
google.auth.exceptions.TransportError: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Engine metadata service. Compute Engine Metadata server unavailable
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/ansible/template/__init__.py", line 856, in _lookup
ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/xxx/yyy/ansible_collections/google/cloud/plugins/lookup/gcp_secret_manager.py", line 185, in run
result = self.get_secret(fake_module)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/xxx/yyy/collections/ansible_collections/google/cloud/plugins/lookup/gcp_secret_manager.py", line 240, in get_secret
response = auth.get(url)
^^^^^^^^^^^^^
File "/home/xxx/yyy/ansible_collections/google/cloud/plugins/module_utils/gcp_utils.py", line 85, in get
return self.full_get(url, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/xxx/yyy/ansible_collections/google/cloud/plugins/module_utils/gcp_utils.py", line 150, in full_get
return self.session().get(url, params=params, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/requests/sessions.py", line 602, in get
return self.request("GET", url, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/transport/requests.py", line 534, in request
self.credentials.before_request(auth_request, method, url, request_headers)
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/credentials.py", line 239, in before_request
self._blocking_refresh(request)
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/credentials.py", line 202, in _blocking_refresh
self.refresh(request)
File "/home/xxx/.local/pipx/venvs/ansible-core/lib/python3.12/site-packages/google/auth/compute_engine/credentials.py", line 132, in refresh
raise new_exc from caught_exc
google.auth.exceptions.RefreshError: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Engine metadata service. Compute Engine Metadata server unavailable