community.general.credstash – retrieve secrets from Credstash on AWS
community.general.credstash – retrieve secrets from Credstash on AWS
Note
This plugin is part of the community.general collection (version 1.3.2).
To install it use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.credstash
.
Synopsis
- Credstash is a small utility for managing secrets using AWS’s KMS and DynamoDB: https://github.com/fugue/credstash
Requirements
The below requirements are needed on the local controller node that executes this lookup.
- credstash (python library)
Parameters
Parameter | Choices/Defaults | Configuration | Comments |
---|---|---|---|
_terms list / elements=string / required |
term or list of terms to lookup in the credit store | ||
aws_access_key_id string |
env:AWS_ACCESS_KEY_ID |
AWS access key ID | |
aws_secret_access_key string |
env:AWS_SECRET_ACCESS_KEY |
AWS access key | |
aws_session_token string |
env:AWS_SESSION_TOKEN |
AWS session token | |
profile_name string |
env:AWS_PROFILE |
AWS profile to use for authentication | |
region string |
AWS region | ||
table string / required |
Default: "credential-store" |
name of the credstash table to query | |
version string |
Credstash version |
Examples
- name: first use credstash to store your secrets
ansible.builtin.shell: credstash put my-github-password secure123
- name: "Test credstash lookup plugin -- get my github password"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"
- name: "Test credstash lookup plugin -- get my other password from us-west-1"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"
- name: "Test credstash lookup plugin -- get the company's github password"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"
- name: Example play using the 'context' feature
hosts: localhost
vars:
context:
app: my_app
environment: production
tasks:
- name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
ansible.builtin.debug:
msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"
- name: "Test credstash lookup plugin -- get the password with a context defined here"
ansible.builtin.debug:
msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw string |
success |
Value(s) stored in Credstash.
|
Authors
- Unknown (!UNKNOWN)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/community/general/credstash_lookup.html