community.sops.sops lookup – Read sops encrypted file contents

Note

This lookup plugin is part of the community.sops collection (version 1.2.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.sops.

To use it in a playbook, specify: community.sops.sops.

New in version 0.1.0: of community.sops

Synopsis

  • This lookup returns the contents from a file on the Ansible controller’s file system.

  • This lookup requires the sops executable to be available in the controller PATH.

Parameters

Parameter

Comments

_terms

string / required

Path(s) of files to read.

aws_access_key_id

string

added in 1.0.0 of community.sops

The AWS access key ID to use for requests to AWS.

Sets the environment variable AWS_ACCESS_KEY_ID for the sops call.

Configuration:

  • INI entry:

    [community.sops]
    aws_access_key_id = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_AWS_ACCESS_KEY_ID

    added in 1.2.0 of community.sops

  • Variable: sops_aws_access_key_id

aws_profile

string

added in 1.0.0 of community.sops

The AWS profile to use for requests to AWS.

This corresponds to the sops --aws-profile option.

Configuration:

  • INI entry:

    [community.sops]
    aws_profile = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_AWS_PROFILE

    added in 1.2.0 of community.sops

  • Variable: sops_aws_profile

aws_secret_access_key

string

added in 1.0.0 of community.sops

The AWS secret access key to use for requests to AWS.

Sets the environment variable AWS_SECRET_ACCESS_KEY for the sops call.

Configuration:

  • Environment variable: ANSIBLE_SOPS_AWS_SECRET_ACCESS_KEY

    added in 1.2.0 of community.sops

  • Variable: sops_aws_secret_access_key

aws_session_token

string

added in 1.0.0 of community.sops

The AWS session token to use for requests to AWS.

Sets the environment variable AWS_SESSION_TOKEN for the sops call.

Configuration:

  • INI entry:

    [community.sops]
    aws_session_token = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_AWS_SESSION_TOKEN

    added in 1.2.0 of community.sops

  • Variable: sops_session_token

  • Variable: sops_aws_session_token

    added in 1.2.0 of community.sops

base64

boolean

Base64-encodes the parsed result.

Use this if you want to store binary data in Ansible variables.

Choices:

  • no ← (default)

  • yes

config_path

path

added in 1.0.0 of community.sops

Path to the sops configuration file.

If not set, sops will recursively search for the config file starting at the file that is encrypted or decrypted.

This corresponds to the sops --config option.

Configuration:

  • INI entry:

    [community.sops]
    config_path = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_CONFIG_PATH

    added in 1.2.0 of community.sops

  • Variable: sops_config_path

empty_on_not_exist

boolean

When set to true, will not raise an error when a file cannot be found, but return an empty string instead.

Choices:

  • no ← (default)

  • yes

enable_local_keyservice

boolean

added in 1.0.0 of community.sops

Tell sops to use local key service.

This corresponds to the sops --enable-local-keyservice option.

Choices:

  • no ← (default)

  • yes

Configuration:

  • INI entry:

    [community.sops]
    enable_local_keyservice = no
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_ENABLE_LOCAL_KEYSERVICE

    added in 1.2.0 of community.sops

  • Variable: sops_enable_local_keyservice

input_type

string

Tell sops how to interpret the encrypted file.

By default, sops will chose the input type from the file extension. If it detects the wrong type for a file, this could result in decryption failing.

Choices:

  • binary

  • json

  • yaml

  • dotenv

keyservice

list / elements=string

added in 1.0.0 of community.sops

Specify key services to use next to the local one.

A key service must be specified in the form protocol://address, for example tcp://myserver.com:5000.

This corresponds to the sops --keyservice option.

Configuration:

  • INI entry:

    [community.sops]
    keyservice = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_KEYSERVICE

    added in 1.2.0 of community.sops

  • Variable: sops_keyservice

output_type

string

Tell sops how to interpret the decrypted file.

By default, sops will chose the output type from the file extension. If it detects the wrong type for a file, this could result in decryption failing.

Choices:

  • binary

  • json

  • yaml

  • dotenv

rstrip

boolean

Whether to remove trailing newlines and spaces.

Choices:

  • no

  • yes ← (default)

sops_binary

path

added in 1.0.0 of community.sops

Path to the sops binary.

By default uses sops.

Configuration:

  • INI entry:

    [community.sops]
    binary = None
    

    added in 1.2.0 of community.sops

  • Environment variable: ANSIBLE_SOPS_BINARY

    added in 1.2.0 of community.sops

  • Variable: sops_binary

Notes

Note

  • This lookup does not understand ‘globbing’ - use the fileglob lookup instead.

Examples

- name: Output secrets to screen (BAD IDEA!)
  ansible.builtin.debug:
    msg: "Content: {{ lookup('community.sops.sops', item) }}"
  loop:
    - sops-encrypted-file.enc.yaml

- name: Add SSH private key
  ansible.builtin.copy:
    # Note that rstrip=false is necessary for some SSH versions to be able to use the key
    content: "{{ lookup('community.sops.sops', user + '-id_rsa', rstrip=false) }}"
    dest: /home/{{ user }}/.ssh/id_rsa
    owner: "{{ user }}"
    group: "{{ user }}"
    mode: 0600
  no_log: true  # avoid content to be written to log

- name: The file file.json is a YAML file, which contains the encryption of binary data
  ansible.builtin.debug:
    msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key

Description

_raw

list / elements=string

Decrypted file content.

Returned: success

Authors

  • Edoardo Tenani (@endorama)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.