community.sops.sops – Loading sops-encrypted vars files

Note

This plugin is part of the community.sops collection (version 1.2.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.sops.

To use it in a playbook, specify: community.sops.sops.

New in version 0.1.0: of community.sops

Synopsis

  • Load encrypted YAML files into corresponding groups/hosts in group_vars/ and host_vars/ directories.

  • Files are encrypted prior to reading, making this plugin an effective companion to host_group_vars plugin.

  • Files are restricted to .sops.yaml, .sops.yml, .sops.json extensions.

  • Hidden files are ignored.

Parameters

Parameter

Comments

_valid_extensions

list / elements=string

Check all of these extensions when looking for ‘variable’ files which should be YAML or JSON or vaulted versions of these.

This affects vars_files, include_vars, inventory and vars plugins among others.

Default: [“.sops.yml”, “.sops.yaml”, “.sops.json”]

aws_access_key_id

string

added in 1.0.0 of community.sops

The AWS access key ID to use for requests to AWS.

Sets the environment variable AWS_ACCESS_KEY_ID for the sops call.

Configuration:

  • INI entry:

    [community.sops]
    aws_access_key_id = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_AWS_ACCESS_KEY_ID

    added in 1.2.0 of community.sops

aws_profile

string

added in 1.0.0 of community.sops

The AWS profile to use for requests to AWS.

This corresponds to the sops --aws-profile option.

Configuration:

  • INI entry:

    [community.sops]
    aws_profile = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_AWS_PROFILE

    added in 1.2.0 of community.sops

aws_secret_access_key

string

added in 1.0.0 of community.sops

The AWS secret access key to use for requests to AWS.

Sets the environment variable AWS_SECRET_ACCESS_KEY for the sops call.

Configuration:

  • Environment variable: ANSIBLE_SOPS_AWS_SECRET_ACCESS_KEY

    added in 1.2.0 of community.sops

aws_session_token

string

added in 1.0.0 of community.sops

The AWS session token to use for requests to AWS.

Sets the environment variable AWS_SESSION_TOKEN for the sops call.

Configuration:

  • INI entry:

    [community.sops]
    aws_session_token = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_AWS_SESSION_TOKEN

    added in 1.2.0 of community.sops

cache

boolean

added in 0.2.0 of community.sops

Whether to cache decrypted files or not.

If the cache is disabled, the files will be decrypted for almost every task. This is very slow!

Only disable caching if you modify the variable files during a playbook run and want the updated result to be available from the next task on.

Note that setting stage to inventory has the same effect as setting cache to true: the variables will be loaded only once (during inventory loading) and the vars plugin will not be called for every task.

Choices:

  • no

  • yes ← (default)

Configuration:

  • INI entry:

    [community.sops]
    vars_cache = yes
    
  • Environment variable: ANSIBLE_VARS_SOPS_PLUGIN_CACHE

config_path

path

added in 1.0.0 of community.sops

Path to the sops configuration file.

If not set, sops will recursively search for the config file starting at the file that is encrypted or decrypted.

This corresponds to the sops --config option.

Configuration:

  • INI entry:

    [community.sops]
    config_path = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_CONFIG_PATH

    added in 1.2.0 of community.sops

enable_local_keyservice

boolean

added in 1.0.0 of community.sops

Tell sops to use local key service.

This corresponds to the sops --enable-local-keyservice option.

Choices:

  • no ← (default)

  • yes

Configuration:

  • INI entry:

    [community.sops]
    enable_local_keyservice = no
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_ENABLE_LOCAL_KEYSERVICE

    added in 1.2.0 of community.sops

keyservice

list / elements=string

added in 1.0.0 of community.sops

Specify key services to use next to the local one.

A key service must be specified in the form protocol://address, for example tcp://myserver.com:5000.

This corresponds to the sops --keyservice option.

Configuration:

  • INI entry:

    [community.sops]
    keyservice = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_KEYSERVICE

    added in 1.2.0 of community.sops

sops_binary

path

added in 1.0.0 of community.sops

Path to the sops binary.

By default uses sops.

Configuration:

  • INI entry:

    [community.sops]
    binary = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_BINARY

    added in 1.2.0 of community.sops

stage

string

added in 0.2.0 of community.sops

Control when this vars plugin may be executed.

Setting this option to all will run the vars plugin after importing inventory and whenever it is demanded by a task.

Setting this option to task will only run the vars plugin whenever it is demanded by a task.

Setting this option to inventory will only run the vars plugin after parsing inventory.

If this option is omitted, the global RUN_VARS_PLUGINS configuration is used to determine when to execute the vars plugin.

Choices:

  • all

  • task

  • inventory

Configuration:

  • INI entry:

    [community.sops]
    vars_stage = None
    
  • Environment variable: ANSIBLE_VARS_SOPS_PLUGIN_STAGE

Authors