community.general.credstash – retrieve secrets from Credstash on AWS

Note

This plugin is part of the community.general collection (version 3.8.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.credstash.

Synopsis

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • credstash (python library)

Parameters

Parameter

Comments

_terms

list / elements=string / required

term or list of terms to lookup in the credit store

aws_access_key_id

string

AWS access key ID

Configuration:

  • Environment variable: AWS_ACCESS_KEY_ID

aws_secret_access_key

string

AWS access key

Configuration:

  • Environment variable: AWS_SECRET_ACCESS_KEY

aws_session_token

string

AWS session token

Configuration:

  • Environment variable: AWS_SESSION_TOKEN

profile_name

string

AWS profile to use for authentication

Configuration:

  • Environment variable: AWS_PROFILE

region

string

AWS region

table

string / required

name of the credstash table to query

Default: “credential-store”

version

string

Credstash version

Examples

- name: first use credstash to store your secrets
  ansible.builtin.shell: credstash put my-github-password secure123

- name: "Test credstash lookup plugin -- get my github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"

- name: "Test credstash lookup plugin -- get my other password from us-west-1"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"

- name: "Test credstash lookup plugin -- get the company's github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"

- name: Example play using the 'context' feature
  hosts: localhost
  vars:
    context:
      app: my_app
      environment: production
  tasks:

  - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"

  - name: "Test credstash lookup plugin -- get the password with a context defined here"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key

Description

_raw

string

Value(s) stored in Credstash.

Returned: success

Authors

  • Unknown (!UNKNOWN)