community.general.passwordstore – manage passwords with passwordstore.org’s pass utility

Note

This plugin is part of the community.general collection (version 2.0.1).

To install it use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.passwordstore.

Synopsis
Parameters
Examples
Return Values

Synopsis

Enables Ansible to retrieve, create or update passwords from the passwordstore.org pass utility. It also retrieves YAML style keys stored as multilines in the passwordfile.

Parameters

Parameter	Choices/Defaults	Configuration	Comments
_terms string / required			query key.
backup boolean	no ← yes		Used with `overwrite=yes`. Backup the previous password in a subkey.
create boolean	no ← yes		Create the password if it does not already exist.
directory string		env:PASSWORD_STORE_DIR	The directory of the password store.
length integer	Default: 16		The length of the generated password.
nosymbols boolean	no ← yes		use alphanumeric characters.
overwrite boolean	no ← yes		Overwrite the password if it does already exist.
passwordstore string	Default: "~/.password-store"		location of the password store.
returnall boolean	no ← yes		Return all the content of the password, not only the first line.
subkey string	Default: "password"		Return a specific subkey of the password. When set to `password`, always returns the first line.
umask string added in 1.3.0 of community.general		env:PASSWORD_STORE_UMASK	Sets the umask for the created .gpg files. The first octed must be greater than 3 (user readable). Note pass' default value is `'077'`.
userpass string			Specify a password to save, instead of a generated one.

Examples

# Debug is used for examples, BAD IDEA to show passwords on screen
- name: Basic lookup. Fails if example/test doesn't exist
  ansible.builtin.debug:
    msg: "{{ lookup('community.general.passwordstore', 'example/test')}}"

- name: Create pass with random 16 character password. If password exists just give the password
  ansible.builtin.debug:
    var: mypassword
  vars:
    mypassword: "{{ lookup('community.general.passwordstore', 'example/test create=true')}}"

- name: Different size password
  ansible.builtin.debug:
    msg: "{{ lookup('community.general.passwordstore', 'example/test create=true length=42')}}"

- name: Create password and overwrite the password if it exists. As a bonus, this module includes the old password inside the pass file
  ansible.builtin.debug:
    msg: "{{ lookup('community.general.passwordstore', 'example/test create=true overwrite=true')}}"

- name: Create an alphanumeric password
  ansible.builtin.debug:
    msg: "{{ lookup('community.general.passwordstore', 'example/test create=true nosymbols=true') }}"

- name: Return the value for user in the KV pair user, username
  ansible.builtin.debug:
    msg: "{{ lookup('community.general.passwordstore', 'example/test subkey=user')}}"

- name: Return the entire password file content
  ansible.builtin.set_fact:
    passfilecontent: "{{ lookup('community.general.passwordstore', 'example/test returnall=true')}}"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key	Returned	Description
_raw list / elements=string	success	a password

Authors

Patrick Deelman (!UNKNOWN) <[email protected]>

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/community/general/passwordstore_lookup.html