community.sops.sops lookup – Read sops encrypted file contents
Note
This lookup plugin is part of the community.sops collection (version 1.2.2).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.sops
.
To use it in a playbook, specify: community.sops.sops
.
New in version 0.1.0: of community.sops
Synopsis
This lookup returns the contents from a file on the Ansible controller’s file system.
This lookup requires the
sops
executable to be available in the controller PATH.
Parameters
Parameter |
Comments |
---|---|
Path(s) of files to read. |
|
The AWS access key ID to use for requests to AWS. Sets the environment variable Configuration:
|
|
The AWS profile to use for requests to AWS. This corresponds to the sops Configuration:
|
|
The AWS secret access key to use for requests to AWS. Sets the environment variable Configuration:
|
|
The AWS session token to use for requests to AWS. Sets the environment variable Configuration:
|
|
Base64-encodes the parsed result. Use this if you want to store binary data in Ansible variables. Choices:
|
|
Path to the sops configuration file. If not set, sops will recursively search for the config file starting at the file that is encrypted or decrypted. This corresponds to the sops Configuration:
|
|
When set to Choices:
|
|
Tell sops to use local key service. This corresponds to the sops Choices:
Configuration:
|
|
Tell sops how to interpret the encrypted file. By default, sops will chose the input type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. Choices:
|
|
Specify key services to use next to the local one. A key service must be specified in the form This corresponds to the sops Configuration:
|
|
Tell sops how to interpret the decrypted file. By default, sops will chose the output type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. Choices:
|
|
Whether to remove trailing newlines and spaces. Choices:
|
|
Path to the sops binary. By default uses Configuration:
|
Examples
- name: Output secrets to screen (BAD IDEA!)
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', item) }}"
loop:
- sops-encrypted-file.enc.yaml
- name: Add SSH private key
ansible.builtin.copy:
# Note that rstrip=false is necessary for some SSH versions to be able to use the key
content: "{{ lookup('community.sops.sops', user + '-id_rsa', rstrip=false) }}"
dest: /home/{{ user }}/.ssh/id_rsa
owner: "{{ user }}"
group: "{{ user }}"
mode: 0600
no_log: true # avoid content to be written to log
- name: The file file.json is a YAML file, which contains the encryption of binary data
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key |
Description |
---|---|
Decrypted file content. Returned: success |
Authors
Edoardo Tenani (@endorama)
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.
Collection links
Issue Tracker Repository (Sources) Submit a bug report Request a feature Communication