community.sops.sops – Read sops encrypted file contents
community.sops.sops – Read sops encrypted file contents
Note
This plugin is part of the community.sops collection (version 1.0.4).
To install it use: ansible-galaxy collection install community.sops
.
To use it in a playbook, specify: community.sops.sops
.
New in version 0.1.0: of community.sops
Synopsis
- This lookup returns the contents from a file on the Ansible controller’s file system.
- This lookup requires the
sops
executable to be available in the controller PATH.
Parameters
Parameter | Choices/Defaults | Configuration | Comments |
---|---|---|---|
_terms string / required |
Path(s) of files to read. | ||
aws_access_key_id string added in 1.0.0 of community.sops |
var: sops_aws_access_key_id |
The AWS access key ID to use for requests to AWS. Sets the environment variable | |
aws_profile string added in 1.0.0 of community.sops |
var: sops_aws_profile |
The AWS profile to use for requests to AWS. This corresponds to the sops | |
aws_secret_access_key string added in 1.0.0 of community.sops |
var: sops_aws_secret_access_key |
The AWS secret access key to use for requests to AWS. Sets the environment variable | |
aws_session_token string added in 1.0.0 of community.sops |
var: sops_session_token |
The AWS session token to use for requests to AWS. Sets the environment variable | |
base64 boolean |
|
Base64-encodes the parsed result. Use this if you want to store binary data in Ansible variables. | |
config_path path added in 1.0.0 of community.sops |
var: sops_config_path |
Path to the sops configuration file. If not set, sops will recursively search for the config file starting at the file that is encrypted or decrypted. This corresponds to the sops | |
empty_on_not_exist boolean |
|
When set to | |
enable_local_keyservice boolean added in 1.0.0 of community.sops |
|
var: sops_enable_local_keyservice |
Tell sops to use local key service. This corresponds to the sops |
input_type string |
|
Tell sops how to interpret the encrypted file. By default, sops will chose the input type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. | |
keyservice list / elements=string added in 1.0.0 of community.sops |
var: sops_keyservice |
Specify key services to use next to the local one. A key service must be specified in the form This corresponds to the sops | |
output_type string |
|
Tell sops how to interpret the decrypted file. By default, sops will chose the output type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. | |
rstrip boolean |
|
Whether to remove trailing newlines and spaces. | |
sops_binary path added in 1.0.0 of community.sops |
var: sops_binary |
Path to the sops binary. By default uses |
Notes
Note
- This lookup does not understand ‘globbing’ - use the fileglob lookup instead.
Examples
tasks:
- name: Output secrets to screen (BAD IDEA!)
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', item) }}"
loop:
- sops-encrypted-file.enc.yaml
- name: Add SSH private key
ansible.builtin.copy:
content: "{{ lookup('community.sops.sops', user + '-id_rsa') }}"
dest: /home/{{ user }}/.ssh/id_rsa
owner: "{{ user }}"
group: "{{ user }}"
mode: 0600
no_log: true # avoid content to be written to log
- name: The file file.json is a YAML file, which contains the encryption of binary data
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw list / elements=string |
success |
Decrypted file content.
|
Authors
- Edoardo Tenani (@endorama) <[email protected]>
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/community/sops/sops_lookup.html