community.general.passwordstore lookup – manage passwords with passwordstore.org’s pass utility
Note
This lookup plugin is part of the community.general collection (version 5.8.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.passwordstore
.
Synopsis
Enables Ansible to retrieve, create or update passwords from the passwordstore.org pass utility. It also retrieves YAML style keys stored as multilines in the passwordfile.
To avoid problems when accessing multiple secrets at once, add
auto-expand-secmem
to~/.gnupg/gpg-agent.conf
. Where this is not possible, consider using lock=readwrite instead.
Terms
Parameter |
Comments |
---|---|
query key. |
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1
, key2=value2
and so on in the following
examples: lookup('community.general.passwordstore', key1=value1, key2=value2, ...)
and query('community.general.passwordstore', key1=value1, key2=value2, ...)
Parameter |
Comments |
---|---|
Specify which backend to use. Defaults to
Choices:
Configuration:
|
|
Used with Choices:
|
|
Create the password if it does not already exist. Takes precedence over Choices:
|
|
The length of the generated password. Default: |
|
How to synchronize operations. The default of
Choices:
Configuration:
|
|
Lock timeout applied when lock is not Time with a unit suffix, Correlates with Default: Configuration:
|
|
List of preference about what to do if the password file is missing. If create=true, the value for this option is ignored and assumed to be If set to If set to If set to Choices:
|
|
use alphanumeric characters. Choices:
|
|
Overwrite the password if it does already exist. Choices:
|
|
Location of the password store. The value is decided by checking the following in order: If set, this value is used. If If backend=pass, then If backend=gopass, then the |
|
Return all the content of the password, not only the first line. Choices:
|
|
Return a specific subkey of the password. When set to Default: |
|
Sets the umask for the created .gpg files. The first octed must be greater than 3 (user readable). Note pass’ default value is Configuration:
|
|
Specify a password to save, instead of a generated one. |
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
lookup('community.general.passwordstore', term1, term2, key1=value1, key2=value2)
andquery('community.general.passwordstore', term1, term2, key1=value1, key2=value2)
Examples
ansible.cfg: |
[passwordstore_lookup]
lock=readwrite
locktimeout=45s
playbook.yml: |
---
# Debug is used for examples, BAD IDEA to show passwords on screen
- name: Basic lookup. Fails if example/test does not exist
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test')}}"
- name: Basic lookup. Warns if example/test does not exist and returns empty string
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test missing=warn')}}"
- name: Create pass with random 16 character password. If password exists just give the password
ansible.builtin.debug:
var: mypassword
vars:
mypassword: "{{ lookup('community.general.passwordstore', 'example/test create=true')}}"
- name: Create pass with random 16 character password. If password exists just give the password
ansible.builtin.debug:
var: mypassword
vars:
mypassword: "{{ lookup('community.general.passwordstore', 'example/test missing=create')}}"
- name: Prints 'abc' if example/test does not exist, just give the password otherwise
ansible.builtin.debug:
var: mypassword
vars:
mypassword: "{{ lookup('community.general.passwordstore', 'example/test missing=empty') | default('abc', true) }}"
- name: Different size password
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test create=true length=42')}}"
- name: Create password and overwrite the password if it exists. As a bonus, this module includes the old password inside the pass file
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test create=true overwrite=true')}}"
- name: Create an alphanumeric password
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test create=true nosymbols=true') }}"
- name: Return the value for user in the KV pair user, username
ansible.builtin.debug:
msg: "{{ lookup('community.general.passwordstore', 'example/test subkey=user')}}"
- name: Return the entire password file content
ansible.builtin.set_fact:
passfilecontent: "{{ lookup('community.general.passwordstore', 'example/test returnall=true')}}"
Return Value
Key |
Description |
---|---|
a password Returned: success |
Collection links
Issue Tracker Repository (Sources) Submit a bug report Request a feature Communication