community.sops.decrypt filter – Decrypt SOPS-encrypted data
Note
This filter plugin is part of the community.sops collection (version 1.9.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.sops
.
You need further requirements to be able to use this filter plugin,
see Requirements for details.
To use it in a playbook, specify: community.sops.decrypt
.
New in community.sops 1.1.0
Synopsis
Decrypt SOPS-encrypted data.
Allows to decrypt data that has been provided by an arbitrary source.
Note that due to Ansible lazy-evaluating expressions, it is better to use ansible.builtin.set_fact to store the result of an evaluation in a fact to avoid recomputing the value every time the expression is used.
Requirements
The below requirements are needed on the local controller node that executes this filter.
A binary executable
sops
(https://github.com/getsops/sops) must exist either inPATH
or configured assops_binary
.
Input
This describes the input of the filter, the value before | community.sops.decrypt
.
Parameter |
Comments |
---|---|
The data to decrypt. |
Keyword parameters
This describes keyword parameters of the filter. These are the values key1=value1
, key2=value2
and so on in the following
example: input | community.sops.decrypt(key1=value1, key2=value2, ...)
Parameter |
Comments |
---|---|
One or more age private keys that can be used to decrypt encrypted files. Will be set as the Requires SOPS 3.7.1+. |
|
The file containing the age private keys that SOPS can use to decrypt encrypted files. Will be set as the By default, SOPS looks for Requires SOPS 3.7.0+. |
|
The AWS access key ID to use for requests to AWS. Sets the environment variable |
|
The AWS profile to use for requests to AWS. This corresponds to the SOPS |
|
The AWS secret access key to use for requests to AWS. Sets the environment variable |
|
The AWS session token to use for requests to AWS. Sets the environment variable |
|
Path to the SOPS configuration file. If not set, SOPS will recursively search for the config file starting at the file that is encrypted or decrypted. This corresponds to the SOPS |
|
Whether to decode the output to bytes. When Choices:
|
|
Tell SOPS to use local key service. This corresponds to the SOPS Choices:
|
|
Tell SOPS how to interpret the encrypted data. There is no auto-detection since we do not have a filename. By default SOPS is told to treat the input as YAML. If that is wrong, please set this option to the correct value. The value Choices:
|
|
Specify key services to use next to the local one. A key service must be specified in the form This corresponds to the SOPS |
|
Tell SOPS how to interpret the decrypted file. Please note that the output is always text or bytes, depending on the value of The value Choices:
|
|
Whether to remove trailing newlines and spaces. Choices:
|
|
Path to the SOPS binary. By default uses |
See Also
See also
- community.sops.sops lookup plugin
Read SOPS-encrypted file contents.
- community.sops.sops vars plugin
Loading SOPS-encrypted vars files.
- community.sops.load_vars
Load SOPS-encrypted variables from files, dynamically within a task.
Examples
- name: Decrypt file fetched from URL
hosts: localhost
gather_facts: false
tasks:
- name: Fetch file from URL
ansible.builtin.uri:
url: https://raw.githubusercontent.com/getsops/sops/master/functional-tests/res/comments.enc.yaml
return_content: true
register: encrypted_content
- name: Show encrypted data
debug:
msg: "{{ encrypted_content.content | ansible.builtin.from_yaml }}"
- name: Decrypt data and decode decrypted YAML
set_fact:
decrypted_data: "{{ encrypted_content.content | community.sops.decrypt | ansible.builtin.from_yaml }}"
- name: Show decrypted data
debug:
msg: "{{ decrypted_data }}"
Return Value
Key |
Description |
---|---|
Decrypted data as text ( Returned: success |