community.general.credstash lookup – retrieve secrets from Credstash on AWS

Note

This lookup plugin is part of the community.general collection (version 5.8.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: community.general.credstash.

Synopsis

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • credstash (python library)

Terms

Parameter

Comments

Terms

list / elements=string / required

term or list of terms to lookup in the credit store

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.general.credstash', key1=value1, key2=value2, ...) and query('community.general.credstash', key1=value1, key2=value2, ...)

Parameter

Comments

aws_access_key_id

string

AWS access key ID

Configuration:

aws_secret_access_key

string

AWS access key

Configuration:

aws_session_token

string

AWS session token

Configuration:

profile_name

string

AWS profile to use for authentication

Configuration:

region

string

AWS region

table

string

name of the credstash table to query

Default: "credential-store"

version

string

Credstash version

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: lookup('community.general.credstash', term1, term2, key1=value1, key2=value2) and query('community.general.credstash', term1, term2, key1=value1, key2=value2)

Examples

- name: first use credstash to store your secrets
  ansible.builtin.shell: credstash put my-github-password secure123

- name: "Test credstash lookup plugin -- get my github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"

- name: "Test credstash lookup plugin -- get my other password from us-west-1"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"

- name: "Test credstash lookup plugin -- get the company's github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"

- name: Example play using the 'context' feature
  hosts: localhost
  vars:
    context:
      app: my_app
      environment: production
  tasks:

  - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"

  - name: "Test credstash lookup plugin -- get the password with a context defined here"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"

Return Value

Key

Description

Return value

string

Value(s) stored in Credstash.

Returned: success

Authors

  • Unknown

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.