community.sops.sops lookup – Read SOPS-encrypted file contents
Note
This lookup plugin is part of the community.sops collection (version 1.9.1).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.sops.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: community.sops.sops.
New in community.sops 0.1.0
Synopsis
- This lookup returns the contents from a file on the Ansible controller’s file system. 
- This lookup requires the - sopsexecutable to be available in the controller PATH.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
- A binary executable - sops(https://github.com/getsops/sops) must exist either in- PATHor configured as- sops_binary.
Terms
| Parameter | Comments | 
|---|---|
| Path(s) of files to read. | 
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following
examples: lookup('community.sops.sops', key1=value1, key2=value2, ...) and query('community.sops.sops', key1=value1, key2=value2, ...)
| Parameter | Comments | 
|---|---|
| One or more age private keys that can be used to decrypt encrypted files. Will be set as the  Requires SOPS 3.7.1+. Configuration: 
 | |
| The file containing the age private keys that SOPS can use to decrypt encrypted files. Will be set as the  By default, SOPS looks for  Requires SOPS 3.7.0+. Configuration: 
 | |
| The AWS access key ID to use for requests to AWS. Sets the environment variable  Configuration: 
 | |
| The AWS profile to use for requests to AWS. This corresponds to the SOPS  Configuration: 
 | |
| The AWS secret access key to use for requests to AWS. Sets the environment variable  Configuration: 
 | |
| The AWS session token to use for requests to AWS. Sets the environment variable  Configuration: 
 | |
| Base64-encodes the parsed result. Use this if you want to store binary data in Ansible variables. Choices: 
 | |
| Path to the SOPS configuration file. If not set, SOPS will recursively search for the config file starting at the file that is encrypted or decrypted. This corresponds to the SOPS  Configuration: 
 | |
| When set to  Choices: 
 | |
| Tell SOPS to use local key service. This corresponds to the SOPS  Choices: 
 Configuration: 
 | |
| Tell SOPS to extract a specific key from a JSON or YAML file. Expects a string with the same ‘querystring’ syntax as SOPS’  Note: Escape quotes appropriately. | |
| Tell SOPS how to interpret the encrypted file. By default, SOPS will chose the input type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. The value  Choices: 
 | |
| Specify key services to use next to the local one. A key service must be specified in the form  This corresponds to the SOPS  Configuration: 
 | |
| Tell SOPS how to interpret the decrypted file. By default, SOPS will chose the output type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. The value  Choices: 
 | |
| Whether to remove trailing newlines and spaces. Choices: 
 | |
| Path to the SOPS binary. By default uses  Configuration: 
 | 
Notes
Note
- When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: - lookup('community.sops.sops', term1, term2, key1=value1, key2=value2)and- query('community.sops.sops', term1, term2, key1=value1, key2=value2)
- This lookup does not understand ‘globbing’ - use the fileglob lookup instead. 
See Also
See also
- community.sops.decrypt filter plugin
- The decrypt filter can be used to descrypt SOPS-encrypted in-memory data. 
- community.sops.sops vars plugin
- The sops vars plugin can be used to load SOPS-encrypted host or group variables. 
- community.sops.load_vars
- Load SOPS-encrypted variables from files, dynamically within a task. 
Examples
- name: Output secrets to screen (BAD IDEA!)
  ansible.builtin.debug:
    msg: "Content: {{ lookup('community.sops.sops', item) }}"
  loop:
    - sops-encrypted-file.enc.yaml
- name: Add SSH private key
  ansible.builtin.copy:
    # Note that rstrip=false is necessary for some SSH versions to be able to use the key
    content: "{{ lookup('community.sops.sops', user + '-id_rsa', rstrip=false) }}"
    dest: /home/{{ user }}/.ssh/id_rsa
    owner: "{{ user }}"
    group: "{{ user }}"
    mode: 0600
  no_log: true  # avoid content to be written to log
- name: The file file.json is a YAML file, which contains the encryption of binary data
  ansible.builtin.debug:
    msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"
Return Value
| Key | Description | 
|---|---|
| Decrypted file content. Returned: success | 
