community.general.passwordstore lookup – manage passwords with passwordstore.org’s pass utility
Note
This lookup plugin is part of the community.general collection (version 4.8.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.passwordstore
.
Synopsis
Enables Ansible to retrieve, create or update passwords from the passwordstore.org pass utility. It also retrieves YAML style keys stored as multilines in the passwordfile.
To avoid problems when accessing multiple secrets at once, add
auto-expand-secmem
to~/.gnupg/gpg-agent.conf
. Where this is not possible, consider using lock=readwrite instead.
Parameters
Parameter |
Comments |
---|---|
query key. |
|
Used with Choices:
|
|
Create the password if it does not already exist. Takes precedence over Choices:
|
|
The directory of the password store. Configuration:
|
|
The length of the generated password. Default: 16 |
|
How to synchronize operations. The default of
Choices:
Configuration:
|
|
Lock timeout applied when lock is not Time with a unit suffix, Correlates with Default: “15m” Configuration:
|
|
List of preference about what to do if the password file is missing. If create=true, the value for this option is ignored and assumed to be If set to If set to If set to Choices:
|
|
use alphanumeric characters. Choices:
|
|
Overwrite the password if it does already exist. Choices:
|
|
location of the password store. Default: “~/.password-store” |
|
Return all the content of the password, not only the first line. Choices:
|
|
Return a specific subkey of the password. When set to Default: “password” |
|
Sets the umask for the created .gpg files. The first octed must be greater than 3 (user readable). Note pass’ default value is Configuration:
|
|
Specify a password to save, instead of a generated one. |
Examples
ansible.cfg: |
[passwordstore_lookup]
lock=readwrite
locktimeout=45s
playbook.yml: |
---
# Debug is used for examples, BAD IDEA to show passwords on screen
- name: Basic lookup. Fails if example/test does not exist
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test')}}"
- name: Basic lookup. Warns if example/test does not exist and returns empty string
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test missing=warn')}}"
- name: Create pass with random 16 character password. If password exists just give the password
ansible.builtin.debug:
var: mypassword
vars:
mypassword: "{{ lookup('community.general.passwordstore', 'example/test create=true')}}"
- name: Create pass with random 16 character password. If password exists just give the password
ansible.builtin.debug:
var: mypassword
vars:
mypassword: "{{ lookup('community.general.passwordstore', 'example/test missing=create')}}"
- name: Prints 'abc' if example/test does not exist, just give the password otherwise
ansible.builtin.debug:
var: mypassword
vars:
mypassword: "{{ lookup('community.general.passwordstore', 'example/test missing=empty') | default('abc', true) }}"
- name: Different size password
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test create=true length=42')}}"
- name: Create password and overwrite the password if it exists. As a bonus, this module includes the old password inside the pass file
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test create=true overwrite=true')}}"
- name: Create an alphanumeric password
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test create=true nosymbols=true') }}"
- name: Return the value for user in the KV pair user, username
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test subkey=user')}}"
- name: Return the entire password file content
ansible.builtin.set_fact:
passfilecontent: "{{ lookup('community.general.passwordstore', 'example/test returnall=true')}}"
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key |
Description |
---|---|
a password Returned: success |
Authors
Patrick Deelman
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.
Collection links
Issue Tracker Repository (Sources) Submit a bug report Request a feature Communication