Try SpotterRead sops encrypted file contents
| "added in version" 0.1.0 of community.sops"
Authors: Edoardo Tenani (@endorama) <e.tenani@arduino.cc>
Install with ansible-galaxy collection install community.sops:==1.6.7
collections:
- name: community.sops
version: 1.6.7This lookup returns the contents from a file on the Ansible controller's file system.
This lookup requires the C(sops) executable to be available in the controller PATH.
- name: Output secrets to screen (BAD IDEA!)
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', item) }}"
loop:
- sops-encrypted-file.enc.yaml
- name: Add SSH private key
ansible.builtin.copy:
# Note that rstrip=false is necessary for some SSH versions to be able to use the key
content: "{{ lookup('community.sops.sops', user + '-id_rsa', rstrip=false) }}"
dest: /home/{{ user }}/.ssh/id_rsa
owner: "{{ user }}"
group: "{{ user }}"
mode: 0600
no_log: true # avoid content to be written to log
- name: The file file.json is a YAML file, which contains the encryption of binary data
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"
_terms:
description: Path(s) of files to read.
required: true
base64:
default: false
description:
- Base64-encodes the parsed result.
- Use this if you want to store binary data in Ansible variables.
type: bool
rstrip:
default: true
description: Whether to remove trailing newlines and spaces.
type: bool
age_key:
description:
- One or more age private keys that can be used to decrypt encrypted files.
- Will be set as the E(SOPS_AGE_KEY) environment variable when calling sops.
env:
- name: ANSIBLE_SOPS_AGE_KEY
type: str
vars:
- name: sops_age_key
version_added: 1.4.0
version_added_collection: community.sops
input_type:
choices:
- binary
- json
- yaml
- dotenv
description:
- Tell sops how to interpret the encrypted file.
- By default, sops will chose the input type from the file extension. If it detects
the wrong type for a file, this could result in decryption failing.
type: str
keyservice:
description:
- Specify key services to use next to the local one.
- A key service must be specified in the form C(protocol://address), for example C(tcp://myserver.com:5000).
- This corresponds to the sops C(--keyservice) option.
elements: str
env:
- name: ANSIBLE_SOPS_KEYSERVICE
version_added: 1.2.0
version_added_collection: community.sops
ini:
- key: keyservice
section: community.sops
version_added: 1.2.0
version_added_collection: community.sops
type: list
vars:
- name: sops_keyservice
version_added: 1.0.0
version_added_collection: community.sops
age_keyfile:
description:
- The file containing the age private keys that sops can use to decrypt encrypted
files.
- Will be set as the E(SOPS_AGE_KEY_FILE) environment variable when calling sops.
- By default, sops looks for C(sops/age/keys.txt) inside your user configuration directory.
env:
- name: ANSIBLE_SOPS_AGE_KEYFILE
ini:
- key: age_keyfile
section: community.sops
type: path
vars:
- name: sops_age_keyfile
version_added: 1.4.0
version_added_collection: community.sops
aws_profile:
description:
- The AWS profile to use for requests to AWS.
- This corresponds to the sops C(--aws-profile) option.
env:
- name: ANSIBLE_SOPS_AWS_PROFILE
version_added: 1.2.0
version_added_collection: community.sops
ini:
- key: aws_profile
section: community.sops
version_added: 1.2.0
version_added_collection: community.sops
type: str
vars:
- name: sops_aws_profile
version_added: 1.0.0
version_added_collection: community.sops
config_path:
description:
- Path to the sops configuration file.
- If not set, sops will recursively search for the config file starting at the file
that is encrypted or decrypted.
- This corresponds to the sops C(--config) option.
env:
- name: ANSIBLE_SOPS_CONFIG_PATH
version_added: 1.2.0
version_added_collection: community.sops
ini:
- key: config_path
section: community.sops
version_added: 1.2.0
version_added_collection: community.sops
type: path
vars:
- name: sops_config_path
version_added: 1.0.0
version_added_collection: community.sops
output_type:
choices:
- binary
- json
- yaml
- dotenv
description:
- Tell sops how to interpret the decrypted file.
- By default, sops will chose the output type from the file extension. If it detects
the wrong type for a file, this could result in decryption failing.
type: str
sops_binary:
description:
- Path to the sops binary.
- By default uses C(sops).
env:
- name: ANSIBLE_SOPS_BINARY
version_added: 1.2.0
version_added_collection: community.sops
ini:
- key: binary
section: community.sops
version_added: 1.2.0
version_added_collection: community.sops
type: path
vars:
- name: sops_binary
version_added: 1.0.0
version_added_collection: community.sops
aws_access_key_id:
description:
- The AWS access key ID to use for requests to AWS.
- Sets the environment variable E(AWS_ACCESS_KEY_ID) for the sops call.
env:
- name: ANSIBLE_SOPS_AWS_ACCESS_KEY_ID
version_added: 1.2.0
version_added_collection: community.sops
ini:
- key: aws_access_key_id
section: community.sops
version_added: 1.2.0
version_added_collection: community.sops
type: str
vars:
- name: sops_aws_access_key_id
version_added: 1.0.0
version_added_collection: community.sops
aws_session_token:
description:
- The AWS session token to use for requests to AWS.
- Sets the environment variable E(AWS_SESSION_TOKEN) for the sops call.
env:
- name: ANSIBLE_SOPS_AWS_SESSION_TOKEN
version_added: 1.2.0
version_added_collection: community.sops
ini:
- key: aws_session_token
section: community.sops
version_added: 1.2.0
version_added_collection: community.sops
type: str
vars:
- name: sops_session_token
- name: sops_aws_session_token
version_added: 1.2.0
version_added_collection: community.sops
version_added: 1.0.0
version_added_collection: community.sops
empty_on_not_exist:
default: false
description:
- When set to V(true), will not raise an error when a file cannot be found, but return
an empty string instead.
type: bool
aws_secret_access_key:
description:
- The AWS secret access key to use for requests to AWS.
- Sets the environment variable E(AWS_SECRET_ACCESS_KEY) for the sops call.
env:
- name: ANSIBLE_SOPS_AWS_SECRET_ACCESS_KEY
version_added: 1.2.0
version_added_collection: community.sops
type: str
vars:
- name: sops_aws_secret_access_key
version_added: 1.0.0
version_added_collection: community.sops
enable_local_keyservice:
default: false
description:
- Tell sops to use local key service.
- This corresponds to the sops C(--enable-local-keyservice) option.
env:
- name: ANSIBLE_SOPS_ENABLE_LOCAL_KEYSERVICE
version_added: 1.2.0
version_added_collection: community.sops
ini:
- key: enable_local_keyservice
section: community.sops
version_added: 1.2.0
version_added_collection: community.sops
type: bool
vars:
- name: sops_enable_local_keyservice
version_added: 1.0.0
version_added_collection: community.sops
_raw: description: Decrypted file content. elements: str type: list