Try SpotterDecrypt sops encrypted data
| "added in version" 1.1.0 of community.sops"
Authors: Felix Fontein (@felixfontein)
Install with ansible-galaxy collection install community.sops:==1.6.7
collections:
- name: community.sops
version: 1.6.7Decrypt sops encrypted data.
Allows to decrypt data that has been provided by an arbitrary source.
Note that due to Ansible lazy-evaluating expressions, it is better to use M(ansible.builtin.set_fact) to store the result of an evaluation in a fact to avoid recomputing the value every time the expression is used.
- name: Decrypt file fetched from URL
hosts: localhost
gather_facts: false
tasks:
- name: Fetch file from URL
ansible.builtin.uri:
url: https://raw.githubusercontent.com/getsops/sops/master/functional-tests/res/comments.enc.yaml
return_content: true
register: encrypted_content
- name: Show encrypted data
debug:
msg: "{{ encrypted_content.content | ansible.builtin.from_yaml }}"
- name: Decrypt data and decode decrypted YAML
set_fact:
decrypted_data: "{{ encrypted_content.content | community.sops.decrypt | ansible.builtin.from_yaml }}"
- name: Show decrypted data
debug:
msg: "{{ decrypted_data }}"
_input:
description:
- The data to decrypt.
required: true
type: string
rstrip:
default: true
description:
- Whether to remove trailing newlines and spaces.
type: bool
age_key:
description:
- One or more age private keys that can be used to decrypt encrypted files.
- Will be set as the E(SOPS_AGE_KEY) environment variable when calling sops.
type: str
version_added: 1.4.0
version_added_collection: community.sops
input_type:
choices:
- binary
- json
- yaml
- dotenv
default: yaml
description:
- Tell sops how to interpret the encrypted data.
- There is no auto-detection since we do not have a filename. By default sops is told
to treat the input as YAML. If that is wrong, please set this option to the correct
value.
type: str
keyservice:
description:
- Specify key services to use next to the local one.
- A key service must be specified in the form C(protocol://address), for example C(tcp://myserver.com:5000).
- This corresponds to the sops C(--keyservice) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
age_keyfile:
description:
- The file containing the age private keys that sops can use to decrypt encrypted
files.
- Will be set as the E(SOPS_AGE_KEY_FILE) environment variable when calling sops.
- By default, sops looks for C(sops/age/keys.txt) inside your user configuration directory.
type: path
version_added: 1.4.0
version_added_collection: community.sops
aws_profile:
description:
- The AWS profile to use for requests to AWS.
- This corresponds to the sops C(--aws-profile) option.
type: str
version_added: 1.0.0
version_added_collection: community.sops
config_path:
description:
- Path to the sops configuration file.
- If not set, sops will recursively search for the config file starting at the file
that is encrypted or decrypted.
- This corresponds to the sops C(--config) option.
type: path
version_added: 1.0.0
version_added_collection: community.sops
output_type:
choices:
- binary
- json
- yaml
- dotenv
default: yaml
description:
- Tell sops how to interpret the decrypted file.
- Please note that the output is always text or bytes, depending on the value of O(decode_output).
To parse the resulting JSON or YAML, use corresponding filters such as P(ansible.builtin.from_json#filter)
and P(ansible.builtin.from_yaml#filter).
type: str
sops_binary:
description:
- Path to the sops binary.
- By default uses C(sops).
type: path
version_added: 1.0.0
version_added_collection: community.sops
decode_output:
default: true
description:
- Whether to decode the output to bytes.
- When O(output_type=binary), and the file isn't known to contain UTF-8 encoded text,
this should better be set to V(false) to prevent mangling the data with UTF-8 decoding.
type: bool
aws_access_key_id:
description:
- The AWS access key ID to use for requests to AWS.
- Sets the environment variable E(AWS_ACCESS_KEY_ID) for the sops call.
type: str
version_added: 1.0.0
version_added_collection: community.sops
aws_session_token:
description:
- The AWS session token to use for requests to AWS.
- Sets the environment variable E(AWS_SESSION_TOKEN) for the sops call.
type: str
version_added: 1.0.0
version_added_collection: community.sops
aws_secret_access_key:
description:
- The AWS secret access key to use for requests to AWS.
- Sets the environment variable E(AWS_SECRET_ACCESS_KEY) for the sops call.
type: str
version_added: 1.0.0
version_added_collection: community.sops
enable_local_keyservice:
default: false
description:
- Tell sops to use local key service.
- This corresponds to the sops C(--enable-local-keyservice) option.
type: bool
version_added: 1.0.0
version_added_collection: community.sops
_value: description: - Decrypted data as text (O(decode_output=true), default) or binary string (O(decode_output=false)). type: string