Add var vault_gkms_credentials_content,

to be able provide Google KMS credentials by ansible var

README.md

@@ -1303,6 +1303,13 @@ This Auto-unseal mechanism is Open Source in Vault 1.0 but would require Enterpr
 ### `vault_gkms_credentials_src_file`
 
 - User-specified source directory for GCP Credential on Ansible control node.
+- Either this or vault_gkms_credentials_content must be set if vault_gkms enabled.
+- Default value: ''
+
+### `vault_gkms_credentials_content`
+
+- User-specified GCP Credential file content.
+- Either this or vault_gkms_credentials_src_file must be set if vault_gkms enabled.
 - Default value: ''
 
 ### `vault_gkms_credentials`

defaults/main.yml

@@ -338,6 +338,7 @@ vault_gkms: false
 vault_backend_gkms: vault_seal_gcpkms.j2
 vault_gkms_project: ''
 vault_gkms_credentials_src_file: ''
+vault_gkms_credentials_content: ''
 vault_gkms_credentials: '/home/vault/vault-kms.json'
 vault_gkms_region: 'global'
 vault_gkms_key_ring: 'vault'

tasks/main.yml

@@ -139,14 +139,23 @@
   include: ../tasks/backend_tls.yml
   when: vault_tls_gossip == 1
 
+- name: "Get content of GCP Credentials from file"
+  set_fact:
+    vault_gkms_credentials_content: "{{ lookup('file', vault_gkms_credentials_src_file) }}"
+  when:
+    - vault_gkms | bool
+    - vault_gkms_credentials_src_file | length > 0
+
 - name: "Copy over GCP Credentials for Auto Unseal"
   copy:
-    src: "{{ vault_gkms_credentials_src_file }}"
+    content: "{{ vault_gkms_credentials_content }}"
     dest: "{{ vault_gkms_credentials }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"
     mode: "0600"
-  when: vault_gkms | bool
+  when:
+    - vault_gkms | bool
+    - vault_gkms_credentials_content | length > 0
 
 - name: "Copy GCP Credentials for gcs backend"
   copy: