Index of all Collection Environment Variables

ANSIBLE_CALLBACK_DIY_ON_ANY_MSG_COLOR

Output color to be used for on_any_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_ON_FILE_DIFF_MSG

Output to be used for callback on_file_diff.

ANSIBLE_CALLBACK_DIY_ON_FILE_DIFF_MSG_COLOR

Output color to be used for on_file_diff_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_HANDLER_TASK_START_MSG

Output to be used for callback playbook_on_handler_task_start.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_HANDLER_TASK_START_MSG_COLOR

Output color to be used for playbook_on_handler_task_start_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_INCLUDE_MSG

Output to be used for callback playbook_on_include.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_INCLUDE_MSG_COLOR

Output color to be used for playbook_on_include_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_NO_HOSTS_MATCHED_MSG

Output to be used for callback playbook_on_no_hosts_matched.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_NO_HOSTS_MATCHED_MSG_COLOR

Output color to be used for playbook_on_no_hosts_matched_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_NO_HOSTS_REMAINING_MSG

Output to be used for callback playbook_on_no_hosts_remaining.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_NO_HOSTS_REMAINING_MSG_COLOR

Output color to be used for playbook_on_no_hosts_remaining_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_NOTIFY_MSG

Output to be used for callback playbook_on_notify.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_NOTIFY_MSG_COLOR

Output color to be used for playbook_on_notify_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_PLAY_START_MSG

Output to be used for callback playbook_on_play_start.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_PLAY_START_MSG_COLOR

Output color to be used for playbook_on_play_start_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_SETUP_MSG

Output to be used for callback playbook_on_setup.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_SETUP_MSG_COLOR

Output color to be used for playbook_on_setup_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_START_MSG

Output to be used for callback playbook_on_start.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_START_MSG_COLOR

Output color to be used for playbook_on_start_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_STATS_MSG

Output to be used for callback playbook_on_stats.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_STATS_MSG_COLOR

Output color to be used for playbook_on_stats_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_TASK_START_MSG

Output to be used for callback playbook_on_task_start.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_TASK_START_MSG_COLOR

Output color to be used for playbook_on_task_start_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_VARS_PROMPT_MSG

Output to be used for callback playbook_on_vars_prompt.

ANSIBLE_CALLBACK_DIY_PLAYBOOK_ON_VARS_PROMPT_MSG_COLOR

Output color to be used for playbook_on_vars_prompt_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ITEM_ON_FAILED_MSG

Output to be used for callback runner_item_on_failed.

ANSIBLE_CALLBACK_DIY_RUNNER_ITEM_ON_FAILED_MSG_COLOR

Output color to be used for runner_item_on_failed_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ITEM_ON_OK_MSG

Output to be used for callback runner_item_on_ok.

ANSIBLE_CALLBACK_DIY_RUNNER_ITEM_ON_OK_MSG_COLOR

Output color to be used for runner_item_on_ok_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ITEM_ON_SKIPPED_MSG

Output to be used for callback runner_item_on_skipped.

ANSIBLE_CALLBACK_DIY_RUNNER_ITEM_ON_SKIPPED_MSG_COLOR

Output color to be used for runner_item_on_skipped_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_FAILED_MSG

Output to be used for callback runner_on_failed.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_FAILED_MSG_COLOR

Output color to be used for runner_on_failed_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_NO_HOSTS_MSG

Output to be used for callback runner_on_no_hosts.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_NO_HOSTS_MSG_COLOR

Output color to be used for runner_on_no_hosts_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_OK_MSG

Output to be used for callback runner_on_ok.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_OK_MSG_COLOR

Output color to be used for runner_on_ok_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_SKIPPED_MSG

Output to be used for callback runner_on_skipped.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_SKIPPED_MSG_COLOR

Output color to be used for runner_on_skipped_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_START_MSG

Output to be used for callback runner_on_start.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_START_MSG_COLOR

Output color to be used for runner_on_start_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_UNREACHABLE_MSG

Output to be used for callback runner_on_unreachable.

ANSIBLE_CALLBACK_DIY_RUNNER_ON_UNREACHABLE_MSG_COLOR

Output color to be used for runner_on_unreachable_msg.

Template should render a valid color value.

ANSIBLE_CALLBACK_DIY_RUNNER_RETRY_MSG

Output to be used for callback runner_retry.

ANSIBLE_CALLBACK_DIY_RUNNER_RETRY_MSG_COLOR

Output color to be used for runner_retry_msg.

Template should render a valid color value.

Used by: ansible.builtin.default callback plugin, ansible.posix.debug callback plugin, ansible.posix.skippy callback plugin, community.general.counter_enabled callback plugin, community.general.default_without_diff callback plugin, community.general.dense callback plugin, community.general.diy callback plugin, community.general.unixy callback plugin, community.general.yaml callback plugin

ANSIBLE_CALLBACK_FORMAT_PRETTY

Configure the result format to be more readable

When result_format is set to yaml this option defaults to True, and defaults to False when configured to json.

Setting this option to True will force json and yaml results to always be pretty printed regardless of verbosity.

When set to True and used with the yaml result format, this option will modify module responses in an attempt to produce a more human friendly output at the expense of correctness, and should not be relied upon to aid in writing variable manipulations or conditionals. For correctness, set this option to False or set result_format to json.

Used by: ansible.builtin.default callback plugin, ansible.builtin.minimal callback plugin, community.general.default_without_diff callback plugin

ANSIBLE_CALLBACK_RESULT_FORMAT

Define the task result format used in the callback output.

These formats do not cause the callback to emit valid JSON or YAML formats.

The output contains these formats interspersed with other non-machine parsable data.

Used by: ansible.builtin.default callback plugin, ansible.builtin.minimal callback plugin, community.general.default_without_diff callback plugin

ANSIBLE_CALLBACK_TREE_DIR

directory that will contain the per host JSON files. Also set by the --tree option when using adhoc.

Used by: ansible.builtin.tree callback plugin

ANSIBLE_CERTIFICATE_CHAIN_FILE

The PEM encoded certificate chain file used to create a SSL-enabled channel. If the value is None, no certificate chain is used.

Used by: ansible.netcommon.grpc connection plugin

ANSIBLE_CHECK_MODE_MARKERS

Toggle to control displaying markers when running in check mode.

The markers are DRY RUN at the beginning and ending of playbook execution (when calling ansible-playbook --check) and CHECK MODE as a suffix at every play and task that is run in check mode.

ANSIBLE_CHROOT_DISABLE_ROOT_CHECK

Do not check that the user is not root.

Used by: community.general.chroot connection plugin

ANSIBLE_CHROOT_EXE

User specified chroot binary

Used by: community.general.chroot connection plugin

ANSIBLE_COMMON_REMOTE_GROUP

Checked when Ansible needs to execute a module as a different user.

If setfacl and chown both fail and do not let the different user access the module’s files, they will be chgrp’d to this group.

In order for this to work, the remote_user and become_user must share a common group and this setting must be set to that group.

Used by: ansible.builtin.sh shell plugin, ansible.posix.csh shell plugin, ansible.posix.fish shell plugin

ANSIBLE_CONSUL_CLIENT_CERT

The client cert to verify the ssl connection.

Used by: community.general.consul_kv lookup plugin

ANSIBLE_CONSUL_URL

The target to connect to.

Should look like this: https://my.consul.server:8500.

Used by: community.general.consul_kv lookup plugin

ANSIBLE_CONSUL_VALIDATE_CERTS

Whether to verify the ssl connection or not.

Used by: community.general.consul_kv lookup plugin

ANSIBLE_DISPLAY_FAILED_STDERR

Toggle to control whether failed and unreachable tasks are displayed to STDERR (vs. STDOUT)

Used by: ansible.builtin.default callback plugin, ansible.posix.debug callback plugin, ansible.posix.skippy callback plugin, community.general.counter_enabled callback plugin, community.general.default_without_diff callback plugin, community.general.dense callback plugin, community.general.diy callback plugin, community.general.unixy callback plugin, community.general.yaml callback plugin

ANSIBLE_DISPLAY_OK_HOSTS

Toggle to control displaying ‘ok’ task/host results in a task

Used by: ansible.builtin.default callback plugin, ansible.posix.debug callback plugin, ansible.posix.skippy callback plugin, community.general.counter_enabled callback plugin, community.general.default_without_diff callback plugin, community.general.dense callback plugin, community.general.diy callback plugin, community.general.unixy callback plugin, community.general.yaml callback plugin

ANSIBLE_DOAS_EXE

Doas executable

ANSIBLE_DOAS_FLAGS

Options to pass to doas

ANSIBLE_DOAS_PASS

password for doas prompt

ANSIBLE_DOAS_PROMPT_L10N

List of localized strings to match for prompt detection

If empty we’ll use the built in one

ANSIBLE_DOAS_USER

User you ‘become’ to execute the task

ANSIBLE_DOCKER_TIMEOUT

Controls how long we can wait to access reading output from the container once execution started.

Used by: community.docker.docker connection plugin, community.docker.docker_api connection plugin

ANSIBLE_DZDO_EXE

Dzdo executable

ANSIBLE_DZDO_FLAGS

Options to pass to dzdo

ANSIBLE_DZDO_PASS

Options to pass to dzdo

ANSIBLE_DZDO_USER

User you ‘become’ to execute the task

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_ENABLE_PASS

password

Used by: ansible.netcommon.enable become plugin

ANSIBLE_EOS_USE_SESSIONS

Specifies if sessions should be used on remote host or not

Used by: arista.eos.eos cliconf plugin, arista.eos.eos httpapi plugin

ANSIBLE_ETCD_URL

Environment variable with the URL for the etcd server

Used by: community.general.etcd lookup plugin

ANSIBLE_ETCD_VERSION

Environment variable with the etcd protocol version

Used by: community.general.etcd lookup plugin

ANSIBLE_GPRC_SSL_TARGET_NAME_OVERRIDE

The option overrides SSL target name used for SSL host name checking. The name used for SSL host name checking will be the target parameter (assuming that the secure channel is an SSL channel). If this parameter is specified and the underlying is not an SSL channel, it will just be ignored.

Used by: ansible.netcommon.grpc connection plugin

ANSIBLE_GRPC_CONNECTION_TYPE

This option indicates the grpc type and it can be used in place of network_os. (example cisco.iosxr.iosxr)

Used by: ansible.netcommon.grpc connection plugin

ANSIBLE_HASHI_VAULT_ADDR

URL to the Vault service.

If not specified by any other means, the value of the VAULT_ADDR environment variable will be used.

If VAULT_ADDR is also not defined then an error will be raised.

ANSIBLE_HASHI_VAULT_AUTH_METHOD

Authentication method to be used.

none auth method was added in collection version 1.2.0.

cert auth method was added in collection version 1.4.0.

aws_iam_login was renamed aws_iam in collection version 2.1.0 and was removed in 3.0.0.

azure auth method was added in collection version 3.2.0.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AWS_IAM_SERVER_ID

If specified, sets the value to use for the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity request.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_CLIENT_ID

The client ID (also known as application ID) of the Azure AD service principal or managed identity. Should be a UUID.

If not specified, will use the system assigned managed identity.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_CLIENT_SECRET

The client secret of the Azure AD service principal.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_RESOURCE

The resource URL for the application registered in Azure Active Directory. Usually should not be changed from the default.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_AZURE_TENANT_ID

The Azure Active Directory Tenant ID (also known as the Directory ID) of the service principal. Should be a UUID.

Required when using a service principal to authenticate to Vault, e.g. required when both azure_client_id and azure_client_secret are specified.

Optional when using managed identity to authenticate to Vault.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_CA_CERT

Path to certificate to use for authentication.

If not specified by any other means, the VAULT_CACERT environment variable will be used.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_CERT_AUTH_PRIVATE_KEY

For cert auth, path to the private key file to authenticate with, in PEM format.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_CERT_AUTH_PUBLIC_KEY

For cert auth, path to the certificate file to authenticate with, in PEM format.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_JWT

The JSON Web Token (JWT) to use for JWT authentication to Vault.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_MOUNT_POINT

Vault mount point.

If not specified, the default mount point for a given auth method is used.

Does not apply to token authentication.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_NAMESPACE

Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault 0.11+.

Optionally, this may be achieved by prefixing the authentication mount point and/or secret path with the namespace (e.g mynamespace/secret/mysecret).

If environment variable VAULT_NAMESPACE is set, its value will be used last among all ways to specify namespace.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_PASSWORD

Authentication password.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_PROXIES

URL(s) to the proxies used to access the Vault service.

It can be a string or a dict.

If it’s a dict, provide the scheme (eg. http or https) as the key, and the URL as the value.

If it’s a string, provide a single URL that will be used as the proxy for both http and https schemes.

A string that can be interpreted as a dictionary will be converted to one (see examples).

You can specify a different proxy for HTTP and HTTPS resources.

If not specified, environment variables from the Requests library are used.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_RETRIES

Allows for retrying on errors, based on the Retry class in the urllib3 library.

This collection defines recommended defaults for retrying connections to Vault.

This option can be specified as a positive number (integer) or dictionary.

If this option is not specified or the number is 0, then retries are disabled.

A number sets the total number of retries, and uses collection defaults for the other settings.

A dictionary value is used directly to initialize the Retry class, so it can be used to fully customize retries.

For detailed information on retries, see the collection User Guide.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_RETRY_ACTION

Controls whether and how to show messages on retries.

This has no effect if a request is not retried.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_ROLE_ID

Vault Role ID or name. Used in approle, aws_iam, azure and cert auth methods.

For cert auth, if no role_id is supplied, the default behavior is to try all certificate roles and return any one that matches.

For azure auth, role_id is required.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_SECRET_ID

Secret ID to be used for Vault AppRole authentication.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TIMEOUT

Sets the connection timeout in seconds.

If not set, then the hvac library’s default is used.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN

Vault token. Token may be specified explicitly, through the listed [env] vars, and also through the VAULT_TOKEN env var.

If no token is supplied, explicitly or through env, then the plugin will check for a token file, as determined by token_path and token_file.

The order of token loading (first found wins) is token param -> ansible var -> ANSIBLE_HASHI_VAULT_TOKEN -> VAULT_TOKEN -> token file.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN_FILE

If no token is specified, will try to read the token from this file in token_path.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN_PATH

If no token is specified, will try to read the token_file from this path.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_TOKEN_VALIDATE

For token auth, will perform a lookup-self operation to determine the token’s validity before using it.

Disable if your token does not have the lookup-self capability.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HASHI_VAULT_USERNAME

Authentication user name.

Used by: community.hashi_vault.hashi_vault lookup plugin, community.hashi_vault.vault_kv1_get lookup plugin, community.hashi_vault.vault_kv2_get lookup plugin, community.hashi_vault.vault_list lookup plugin, community.hashi_vault.vault_login lookup plugin, community.hashi_vault.vault_read lookup plugin, community.hashi_vault.vault_token_create lookup plugin, community.hashi_vault.vault_write lookup plugin

ANSIBLE_HIERA_BIN

Binary file to execute Hiera.

Used by: community.general.hiera lookup plugin

ANSIBLE_HIERA_CFG

File that describes the hierarchy of Hiera.

Used by: community.general.hiera lookup plugin

ANSIBLE_HOST_KEY_AUTO_ADD

By default, Ansible will prompt the user before adding SSH keys to the known hosts file. Since persistent connections such as network_cli run in background processes, the user will never be prompted. By enabling this option, unknown host keys will automatically be added to the known hosts file.

Be sure to fully understand the security implications of enabling this option on production systems as it could create a security vulnerability.

Used by: ansible.netcommon.network_cli connection plugin

ANSIBLE_HOSTTECH_API_PASSWORD

The password for the Hosttech API user.

If provided, hosttech_username must also be provided.

Mutually exclusive with hosttech_token.

Used by: community.dns.hosttech_dns_records inventory plugin

ANSIBLE_HOSTTECH_API_USERNAME

The username for the Hosttech API user.

If provided, hosttech_password must also be provided.

Mutually exclusive with hosttech_token.

Used by: community.dns.hosttech_dns_records inventory plugin

ANSIBLE_HOSTTECH_DNS_TOKEN

The password for the Hosttech API user.

Mutually exclusive with hosttech_username and hosttech_password.

Since community.dns 1.2.0, the alias api_token can be used.

Used by: community.dns.hosttech_dns_records inventory plugin

ANSIBLE_HTTPAPI_LOGIN_DOMAIN

The login domain name to use for authentication.

The default value is Local.

Used by: cisco.mso.mso httpapi plugin

ANSIBLE_IGNORE_ERRORS

Whether to ignore errors on failing or not.

Used by: community.general.logdna callback plugin

ANSIBLE_INVENTORY_PLUGIN_EXTS

list of ‘valid’ extensions for files containing YAML

Used by: ansible.builtin.yaml inventory plugin

ANSIBLE_INVENTORY_PLUGIN_SCRIPT_STDERR

Toggle display of stderr even when script was successful

Used by: ansible.builtin.script inventory plugin

ANSIBLE_INVENTORY_USE_EXTRA_VARS

Merge extra vars into the available variables for composition (highest precedence).

ANSIBLE_IOS_COMMIT_CONFIRM_IMMEDIATE

Enable or disable commit confirm mode.

Confirms the configuration pushed after a custom/ default timeout.(default 1 minute).

For custom timeout configuration set commit_confirm_timeout value.

On commit_confirm_immediate default value for commit_confirm_timeout is considered 1 minute when variable in not explicitly declared.

Used by: cisco.ios.ios cliconf plugin

ANSIBLE_IOS_COMMIT_CONFIRM_TIMEOUT

Commits the configuration on a trial basis for the time specified in minutes.

Using commit_confirm_timeout without specifying commit_confirm_immediate would need an explicit configure confirm using the ios_command module to confirm/commit the changes made.

Refer to example for a use case demonstration.

Used by: cisco.ios.ios cliconf plugin

ANSIBLE_IOSXR_COMMIT_COMMENT

Adds comment to commit confirmed..

ANSIBLE_IOSXR_COMMIT_CONFIRMED

enable or disable commit confirmed mode

ANSIBLE_IOSXR_COMMIT_CONFIRMED_TIMEOUT

Commits the configuration on a trial basis for the time specified in seconds or minutes.

ANSIBLE_IOSXR_COMMIT_LABEL

Adds label to commit confirmed.

ANSIBLE_IOSXR_CONFIG_MODE_EXCLUSIVE

enable or disable config mode exclusive

ANSIBLE_JSON_INDENT

See the documentations for the options where this environment variable is used.

Used by: ansible.posix.json callback plugin, ansible.posix.jsonl callback plugin

ANSIBLE_KSU_EXE

Su executable

ANSIBLE_KSU_FLAGS

Options to pass to ksu

ANSIBLE_KSU_PASS

ksu password

ANSIBLE_KSU_PROMPT_L10N

List of localized strings to match for prompt detection

If empty we’ll use the built in one

ANSIBLE_KSU_USER

User you ‘become’ to execute the task

ANSIBLE_LIBSSH_CONFIG_FILE

Alternate SSH config file location

Used by: ansible.netcommon.libssh connection plugin

ANSIBLE_LIBSSH_HOST_KEY_AUTO_ADD

TODO: write it

Used by: ansible.netcommon.libssh connection plugin

ANSIBLE_LIBSSH_HOST_KEY_CHECKING

Set this to “False” if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host

Used by: ansible.netcommon.libssh connection plugin

ANSIBLE_LIBSSH_LOOK_FOR_KEYS

TODO: write it

Used by: ansible.netcommon.libssh connection plugin

ANSIBLE_LIBSSH_PROXY_COMMAND

Proxy information for running the connection via a jumphost.

Also this plugin will scan ‘ssh_args’, ‘ssh_extra_args’ and ‘ssh_common_args’ from the ‘ssh’ plugin settings for proxy information if set.

Used by: ansible.netcommon.libssh connection plugin

ANSIBLE_LIBSSH_PTY

TODO: write it

Used by: ansible.netcommon.libssh connection plugin

ANSIBLE_LIBSSH_REMOTE_USER

User to login/authenticate as

Can be set from the CLI via the --user or -u options.

Used by: ansible.netcommon.libssh connection plugin

ANSIBLE_LOG_FOLDER

The folder where log files will be created.

Used by: community.general.log_plays callback plugin

ANSIBLE_LOOKUP_URL_AGENT

User-Agent to use in the request. The default was changed in 2.11 to ansible-httpget.

ANSIBLE_LOOKUP_URL_CA_PATH

String of file system path to CA cert bundle to use

ANSIBLE_LOOKUP_URL_CIPHERS

SSL/TLS Ciphers to use for the request

When a list is provided, all ciphers are joined in order with :

See the OpenSSL Cipher List Format for more details.

The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions

ANSIBLE_LOOKUP_URL_FOLLOW_REDIRECTS

String of urllib2, all/yes, safe, none to determine how redirects are followed

ANSIBLE_LOOKUP_URL_FORCE

Whether or not to set “cache-control” header with value “no-cache”

ANSIBLE_LOOKUP_URL_FORCE_BASIC_AUTH

Force basic authentication

ANSIBLE_LOOKUP_URL_TIMEOUT

How long to wait for the server to send data before giving up

ANSIBLE_LOOKUP_URL_UNIX_SOCKET

String of file system path to unix socket file to use when establishing connection to the provided url

ANSIBLE_LOOKUP_URL_UNREDIR_HEADERS

A list of headers to not attach on a redirected request

ANSIBLE_LOOKUP_URL_USE_GSSAPI

Use GSSAPI handler of requests

As of Ansible 2.11, GSSAPI credentials can be specified with username and password.

ANSIBLE_LOOKUP_URL_USE_NETRC

Determining whether to use credentials from ``~/.netrc`` file

By default .netrc is used with Basic authentication headers

When set to False, .netrc credentials are ignored

Used by: ansible.netcommon.grpc connection plugin, ansible.netcommon.httpapi connection plugin, ansible.netcommon.netconf connection plugin, ansible.netcommon.network_cli connection plugin, ansible.netcommon.persistent connection plugin

ANSIBLE_MACHINECTL_EXE

Machinectl executable

Used by: community.general.machinectl become plugin

ANSIBLE_MACHINECTL_FLAGS

Options to pass to machinectl

Used by: community.general.machinectl become plugin

ANSIBLE_MACHINECTL_PASS

Password for machinectl

Used by: community.general.machinectl become plugin

ANSIBLE_MACHINECTL_USER

User you ‘become’ to execute the task

Used by: community.general.machinectl become plugin

ANSIBLE_MERGE_VARIABLES_OVERRIDE

Return an error, print a warning or ignore it when a key will be overwritten.

The default behavior error makes the plugin fail when a key would be overwritten.

When warn and ignore are used, note that it is important to know that the variables are sorted by name before being merged. Keys for later variables in this order will overwrite keys of the same name for variables earlier in this order. To avoid potential confusion, better use override=error whenever possible.

Used by: community.general.merge_variables lookup plugin

ANSIBLE_MERGE_VARIABLES_PATTERN_TYPE

Change the way of searching for the specified pattern.

Used by: community.general.merge_variables lookup plugin

ANSIBLE_NETCONF_HOST_KEY_CHECKING

Set this to “False” if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host

Used by: ansible.netcommon.netconf connection plugin

ANSIBLE_NETCONF_PROXY_COMMAND

Proxy information for running the connection via a jumphost.

This requires ncclient >= 0.6.10 to be installed on the controller.

Used by: ansible.netcommon.netconf connection plugin

ANSIBLE_NETWORK_CLI_RETRIES

Number of attempts to connect to remote host. The delay time between the retires increases after every attempt by power of 2 in seconds till either the maximum attempts are exhausted or any of the persistent_command_timeout or persistent_connect_timeout timers are triggered.

Used by: ansible.netcommon.network_cli connection plugin

ANSIBLE_NETWORK_CLI_SSH_TYPE

The python package that will be used by the network_cli connection plugin to create a SSH connection to remote host.

libssh will use the ansible-pylibssh package, which needs to be installed in order to work.

paramiko will instead use the paramiko package to manage the SSH connection.

auto will use ansible-pylibssh if that package is installed, otherwise will fallback to paramiko.

Used by: ansible.netcommon.network_cli connection plugin

ANSIBLE_NETWORK_IMPORT_MODULES

Reduce CPU usage and network module execution time by enabling direct execution. Instead of the module being packaged and executed by the shell, it will be directly executed by the Ansible control node using the same python interpreter as the Ansible process. Note- Incompatible with asynchronous mode. Note- Python 3 and Ansible 2.9.16 or greater required. Note- With Ansible 2.9.x fully qualified modules names are required in tasks.

ANSIBLE_NETWORK_SINGLE_USER_MODE

This option enables caching of data fetched from the target for re-use. The cache is invalidated when the target device enters configuration mode.

Applicable only for platforms where this has been implemented.

Used by: ansible.netcommon.network_cli connection plugin

ANSIBLE_NMAP_ADDRESS

Network IP or range of IPs to scan, you can use a simple range (10.2.2.15-25) or CIDR notation.

Used by: community.general.nmap inventory plugin

ANSIBLE_NMAP_EXCLUDE

List of addresses to exclude.

For example 10.2.2.15-25 or 10.2.2.15,10.2.2.16.

Used by: community.general.nmap inventory plugin

ANSIBLE_NSENTER_PID

PID to attach with using nsenter.

The default should be fine unless you are attaching as a non-root user.

Used by: community.docker.nsenter connection plugin

ANSIBLE_OPENTELEMETRY_DISABLE_ATTRIBUTES_IN_LOGS

Disable populating span attributes to the logs.

Used by: community.general.opentelemetry callback plugin

ANSIBLE_OPENTELEMETRY_DISABLE_LOGS

Disable sending logs.

Used by: community.general.opentelemetry callback plugin

ANSIBLE_OPENTELEMETRY_ENABLE_FROM_ENVIRONMENT

Whether to enable this callback only if the given environment variable exists and it is set to true.

This is handy when you use Configuration as Code and want to send distributed traces if running in the CI rather when running Ansible locally.

For such, it evaluates the given enable_from_environment value as environment variable and if set to true this plugin will be enabled.

Used by: community.general.opentelemetry callback plugin

ANSIBLE_OPENTELEMETRY_HIDE_TASK_ARGUMENTS

Hide the arguments for a task.

Used by: community.general.elastic callback plugin, community.general.opentelemetry callback plugin

ANSIBLE_PARAMIKO_BANNER_TIMEOUT

Configures, in seconds, the amount of time to wait for the SSH banner to be presented. This option is supported by paramiko version 1.15.0 or newer.

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_HOST_KEY_CHECKING

Set this to “False” if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_PRIVATE_KEY_FILE

Path to private key file to use for authentication.

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_PROXY_COMMAND

Proxy information for running the connection via a jumphost.

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_PTY

SUDO usually requires a PTY, True to give a PTY and False to not give a PTY.

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_RECORD_HOST_KEYS

Save the host keys to a file

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_REMOTE_USER

User to login/authenticate as

Can be set from the CLI via the --user or -u options.

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_TIMEOUT

Number of seconds until the plugin gives up on failing to establish a TCP connection.

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PARAMIKO_USE_RSA_SHA2_ALGORITHMS

Whether or not to enable RSA SHA2 algorithms for pubkeys and hostkeys

On paramiko versions older than 2.9, this only affects hostkeys

For behavior matching paramiko<2.9 set this to False

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_PBRUN_EXE

Sudo executable

ANSIBLE_PBRUN_FLAGS

Options to pass to pbrun

ANSIBLE_PBRUN_PASS

Password for pbrun

ANSIBLE_PBRUN_USER

User you ‘become’ to execute the task

ANSIBLE_PBRUN_WRAP_EXECUTION

Toggle to wrap the command pbrun calls in ‘shell -c’ or not

Used by: ansible.netcommon.grpc connection plugin, ansible.netcommon.httpapi connection plugin, ansible.netcommon.netconf connection plugin, ansible.netcommon.network_cli connection plugin, ansible.netcommon.persistent connection plugin

ANSIBLE_PERSISTENT_BUFFER_READ_TIMEOUT

Configures, in seconds, the amount of time to wait for the data to be read from Paramiko channel after the command prompt is matched. This timeout value ensures that command prompt matched is correct and there is no more data left to be received from remote host.

Used by: ansible.netcommon.network_cli connection plugin

ANSIBLE_PERSISTENT_LOG_MESSAGES

This flag will enable logging the command executed and response received from target device in the ansible log file. For this option to work ‘log_path’ ansible configuration option is required to be set to a file path with write access.

Be sure to fully understand the security implications of enabling this option as it could create a security vulnerability by logging sensitive information in log file.

ANSIBLE_PFEXEC_EXE

Sudo executable

ANSIBLE_PFEXEC_FLAGS

Options to pass to pfexec

ANSIBLE_PFEXEC_PASS

pfexec password

ANSIBLE_PFEXEC_USER

User you ‘become’ to execute the task

This plugin ignores this setting as pfexec uses it’s own exec_attr to figure this out, but it is supplied here for Ansible to make decisions needed for the task execution, like file permissions.

ANSIBLE_PFEXEC_WRAP_EXECUTION

Toggle to wrap the command pfexec calls in ‘shell -c’ or not

ANSIBLE_PKCS11_PROVIDER

PKCS11 SmartCard provider such as opensc, example: /usr/local/lib/opensc-pkcs11.so

Requires sshpass version 1.06+, sshpass must support the -P option.

ANSIBLE_PLATFORM_TYPE

Set type of platform.

Used by: ansible.netcommon.httpapi connection plugin

ANSIBLE_PMRUN_EXE

Sudo executable

Used by: community.general.pmrun become plugin

ANSIBLE_PMRUN_FLAGS

Options to pass to pmrun

Used by: community.general.pmrun become plugin

ANSIBLE_PMRUN_PASS

pmrun password

Used by: community.general.pmrun become plugin

ANSIBLE_PODMAN_EXECUTABLE

Executable for podman command.

Used by: containers.podman.podman connection plugin

ANSIBLE_PODMAN_EXTRA_ARGS

Extra arguments to pass to the podman command line.

Used by: containers.podman.podman connection plugin

ANSIBLE_REDIS_HOST

location of Redis host

Used by: community.general.redis lookup plugin

ANSIBLE_REDIS_PORT

port on which Redis is listening on

Used by: community.general.redis lookup plugin

ANSIBLE_REDIS_SOCKET

path to socket on which to query Redis, this option overrides host and port options when set.

Used by: community.general.redis lookup plugin

ANSIBLE_REMOTE_PARAMIKO_PORT

Remote port to connect to.

Used by: ansible.builtin.paramiko_ssh connection plugin

ANSIBLE_REMOTE_TEMP

Temporary directory to use on targets when executing tasks.

Used by: ansible.builtin.sh shell plugin, ansible.posix.csh shell plugin, ansible.posix.fish shell plugin

ANSIBLE_REMOTE_TMP

Temporary directory to use on targets when executing tasks.

Used by: ansible.builtin.sh shell plugin, ansible.posix.csh shell plugin, ansible.posix.fish shell plugin

ANSIBLE_ROOT_CERTIFICATES_FILE

The PEM encoded root certificate file used to create a SSL-enabled channel, if the value is None it reads the root certificates from a default location chosen by gRPC at runtime.

Used by: ansible.netcommon.grpc connection plugin

ANSIBLE_RUNAS_FLAGS

Options to pass to runas, a space delimited list of k=v pairs

Used by: ansible.builtin.runas become plugin

ANSIBLE_RUNAS_PASS

password

Used by: ansible.builtin.runas become plugin

ANSIBLE_RUNAS_USER

User you ‘become’ to execute the task

Used by: ansible.builtin.runas become plugin

ANSIBLE_SCP_EXECUTABLE

This defines the location of the scp binary. It defaults to scp which will use the first binary available in $PATH.

ANSIBLE_SCP_EXTRA_ARGS

Extra exclusive to the scp CLI

ANSIBLE_SELECTIVE_DONT_COLORIZE

This setting allows suppressing colorizing output.

Used by: community.general.selective callback plugin

ANSIBLE_SESU_EXE

sesu executable

ANSIBLE_SESU_FLAGS

Options to pass to sesu

ANSIBLE_SESU_PASS

Password to pass to sesu

ANSIBLE_SESU_USER

User you ‘become’ to execute the task

ANSIBLE_SFTP_BATCH_MODE

TODO: write it

ANSIBLE_SFTP_EXECUTABLE

This defines the location of the sftp binary. It defaults to sftp which will use the first binary available in $PATH.

ANSIBLE_SFTP_EXTRA_ARGS

Extra exclusive to the sftp CLI

Used by: ansible.builtin.default callback plugin, ansible.posix.debug callback plugin, ansible.posix.skippy callback plugin, community.general.counter_enabled callback plugin, community.general.default_without_diff callback plugin, community.general.dense callback plugin, community.general.diy callback plugin, community.general.unixy callback plugin, community.general.yaml callback plugin

ANSIBLE_SHELL_ALLOW_WORLD_READABLE_TEMP

This makes the temporary files created on the machine world-readable and will issue a warning instead of failing the task.

It is useful when becoming an unprivileged user.

Used by: ansible.builtin.sh shell plugin, ansible.posix.csh shell plugin, ansible.posix.fish shell plugin

ANSIBLE_SHOW_PER_HOST_START

This adds output that shows when a task is started to execute for each host

ANSIBLE_SHOW_TASK_PATH_ON_FAILURE

When a task fails, display the path to the file containing the failed task and the line number. This information is displayed automatically for every task when running with -vv or greater verbosity.

Used by: ansible.builtin.default callback plugin, ansible.posix.debug callback plugin, ansible.posix.skippy callback plugin, community.general.counter_enabled callback plugin, community.general.default_without_diff callback plugin, community.general.dense callback plugin, community.general.diy callback plugin, community.general.unixy callback plugin, community.general.yaml callback plugin

ANSIBLE_SOPS_AGE_KEY

One or more age private keys that can be used to decrypt encrypted files.

Will be set as the SOPS_AGE_KEY environment variable when calling sops.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_AGE_KEYFILE

The file containing the age private keys that sops can use to decrypt encrypted files.

Will be set as the SOPS_AGE_KEY_FILE environment variable when calling sops.

By default, sops looks for sops/age/keys.txt inside your user configuration directory.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_AWS_ACCESS_KEY_ID

The AWS access key ID to use for requests to AWS.

Sets the environment variable AWS_ACCESS_KEY_ID for the sops call.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_AWS_PROFILE

The AWS profile to use for requests to AWS.

This corresponds to the sops --aws-profile option.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_AWS_SECRET_ACCESS_KEY

The AWS secret access key to use for requests to AWS.

Sets the environment variable AWS_SECRET_ACCESS_KEY for the sops call.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_AWS_SESSION_TOKEN

The AWS session token to use for requests to AWS.

Sets the environment variable AWS_SESSION_TOKEN for the sops call.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_BINARY

Path to the sops binary.

By default uses sops.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_CONFIG_PATH

Path to the sops configuration file.

If not set, sops will recursively search for the config file starting at the file that is encrypted or decrypted.

This corresponds to the sops --config option.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_ENABLE_LOCAL_KEYSERVICE

Tell sops to use local key service.

This corresponds to the sops --enable-local-keyservice option.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SOPS_KEYSERVICE

Specify key services to use next to the local one.

A key service must be specified in the form protocol://address, for example tcp://myserver.com:5000.

This corresponds to the sops --keyservice option.

Used by: community.sops.sops lookup plugin, community.sops.sops vars plugin

ANSIBLE_SSH_ARGS

See the documentations for the options where this environment variable is used.

Used by: ansible.builtin.ssh connection plugin, ansible.netcommon.libssh connection plugin

ANSIBLE_SSH_COMMON_ARGS

See the documentations for the options where this environment variable is used.

Used by: ansible.builtin.ssh connection plugin, ansible.netcommon.libssh connection plugin

ANSIBLE_SSH_CONTROL_PATH

This is the location to save SSH’s ControlPath sockets, it uses SSH’s variable substitution.

Since 2.3, if null (default), ansible will generate a unique hash. Use ``%(directory)s`` to indicate where to use the control dir path setting.

Before 2.3 it defaulted to ``control_path=%(directory)s/ansible-ssh-%%h-%%p-%%r``.

Be aware that this setting is ignored if -o ControlPath is set in ssh args.

ANSIBLE_SSH_CONTROL_PATH_DIR

This sets the directory to use for ssh control path if the control path setting is null.

Also, provides the ``%(directory)s`` variable for the control path setting.

ANSIBLE_SSH_EXECUTABLE

This defines the location of the SSH binary. It defaults to ssh which will use the first SSH binary available in $PATH.

This option is usually not required, it might be useful when access to system SSH is restricted, or when using SSH wrappers to connect to remote hosts.

Used by: ansible.builtin.paramiko_ssh connection plugin, ansible.builtin.ssh connection plugin, ansible.netcommon.libssh connection plugin, ansible.netcommon.netconf connection plugin, ansible.netcommon.network_cli connection plugin

ANSIBLE_SSH_EXTRA_ARGS

See the documentations for the options where this environment variable is used.

Used by: ansible.builtin.ssh connection plugin, ansible.netcommon.libssh connection plugin

ANSIBLE_SSH_HOST_KEY_CHECKING

See the documentations for the options where this environment variable is used.

ANSIBLE_SSH_PIPELINING

Pipelining reduces the number of connection operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfers.

This can result in a very significant performance improvement when enabled.

However this can conflict with privilege escalation (become). For example, when using sudo operations you must first disable ‘requiretty’ in the sudoers file for the target hosts, which is why this feature is disabled by default.

ANSIBLE_SSH_RETRIES

Number of attempts to connect.

Ansible retries connections only if it gets an SSH error with a return code of 255.

Any errors with return codes other than 255 indicate an issue with program execution.

ANSIBLE_SSH_TIMEOUT

See the documentations for the options where this environment variable is used.

Used by: ansible.builtin.paramiko_ssh connection plugin, ansible.builtin.ssh connection plugin

ANSIBLE_SSH_TRANSFER_METHOD

Preferred method to use when transferring files over ssh

ANSIBLE_SSH_USETTY

add -tt to ssh commands to force tty allocation.

ANSIBLE_SSHPASS_PROMPT

Password prompt that sshpass should search for. Supported by sshpass 1.06 and up.

Defaults to Enter PIN for when pkcs11_provider is set.

ANSIBLE_SU_EXE

Su executable

ANSIBLE_SU_FLAGS

Options to pass to su

ANSIBLE_SU_PASS

Password to pass to su

ANSIBLE_SU_PROMPT_L10N

List of localized strings to match for prompt detection

If empty we’ll use the built in one

Do NOT add a colon (:) to your custom entries. Ansible adds a colon at the end of each prompt; if you add another one in your string, your prompt will fail with a “Timeout” error.

ANSIBLE_SU_USER

User you ‘become’ to execute the task

Used by: amazon.aws.aws_account_attribute lookup plugin, amazon.aws.aws_ec2 inventory plugin, amazon.aws.aws_rds inventory plugin, amazon.aws.secretsmanager_secret lookup plugin, amazon.aws.ssm_parameter lookup plugin, community.aws.aws_mq inventory plugin

ANSIBLE_SUDO_EXE

Sudo executable

Used by: ansible.builtin.sudo become plugin, containers.podman.podman_unshare become plugin

ANSIBLE_SUDO_FLAGS

See the documentations for the options where this environment variable is used.

Used by: ansible.builtin.sudo become plugin, community.general.sudosu become plugin

ANSIBLE_SUDO_PASS

See the documentations for the options where this environment variable is used.

Used by: ansible.builtin.sudo become plugin, community.general.sudosu become plugin, containers.podman.podman_unshare become plugin

ANSIBLE_SUDO_USER

See the documentations for the options where this environment variable is used.

Used by: ansible.builtin.sudo become plugin, community.general.sudosu become plugin, containers.podman.podman_unshare become plugin

ANSIBLE_SYSLOG_SETUP

Log setup tasks.

Used by: community.general.syslog_json callback plugin

ANSIBLE_SYSTEM_TMPDIRS

List of valid system temporary directories on the managed machine for Ansible to validate remote_tmp against, when specific permissions are needed. These must be world readable, writable, and executable. This list should only contain directories which the system administrator has pre-created with the proper ownership and permissions otherwise security issues can arise.

When remote_tmp is required to be a system temp dir and it does not match any in the list, the first one from the list will be used instead.

Used by: ansible.builtin.sh shell plugin, ansible.posix.csh shell plugin, ansible.posix.fish shell plugin

ANSIBLE_VARS_PLUGIN_STAGE

Control when this vars plugin may be executed.

Setting this option to all will run the vars plugin after importing inventory and whenever it is demanded by a task.

Setting this option to task will only run the vars plugin whenever it is demanded by a task.

Setting this option to inventory will only run the vars plugin after parsing inventory.

If this option is omitted, the global RUN_VARS_PLUGINS configuration is used to determine when to execute the vars plugin.

Used by: ansible.builtin.host_group_vars vars plugin

ANSIBLE_VARS_SOPS_PLUGIN_CACHE

Whether to cache decrypted files or not.

If the cache is disabled, the files will be decrypted for almost every task. This is very slow!

Only disable caching if you modify the variable files during a playbook run and want the updated result to be available from the next task on.

Note that setting stage=inventory has the same effect as setting cache=true: the variables will be loaded only once (during inventory loading) and the vars plugin will not be called for every task.

Used by: community.sops.sops vars plugin

ANSIBLE_VARS_SOPS_PLUGIN_STAGE

Control when this vars plugin may be executed.

Setting this option to all will run the vars plugin after importing inventory and whenever it is demanded by a task.

Setting this option to task will only run the vars plugin whenever it is demanded by a task.

Setting this option to inventory will only run the vars plugin after parsing inventory.

If this option is omitted, the global RUN_VARS_PLUGINS configuration is used to determine when to execute the vars plugin.

Used by: community.sops.sops vars plugin

ANSIBLE_XO_HOST

API host to XOA API.

If the value is not specified in the inventory configuration, the value of environment variable ANSIBLE_XO_HOST will be used instead.

Used by: community.general.xen_orchestra inventory plugin

ANSIBLE_XO_PASSWORD

Xen Orchestra password.

If the value is not specified in the inventory configuration, the value of environment variable ANSIBLE_XO_PASSWORD will be used instead.

Used by: community.general.xen_orchestra inventory plugin

ANSIBLE_XO_USER

Xen Orchestra user.

If the value is not specified in the inventory configuration, the value of environment variable ANSIBLE_XO_USER will be used instead.

Used by: community.general.xen_orchestra inventory plugin

ANSIBLE_ZABBIX_AUTH_KEY

Specifies API authentication key

Used by: community.zabbix.zabbix httpapi plugin

ANSIBLE_ZABBIX_URL_PATH

Specifies path portion in Zabbix WebUI URL, e.g. for https://myzabbixfarm.com/zabbixeu zabbix_url_path=zabbixeu

Used by: community.zabbix.zabbix httpapi plugin

AWS_ACCESS_KEY

See the documentations for the options where this environment variable is used.

AWS_ACCESS_KEY_ID

See the documentations for the options where this environment variable is used.

AWS_DEFAULT_PROFILE

See the documentations for the options where this environment variable is used.

AWS_DEFAULT_REGION

The region the EC2 instance is located.

Used by: community.aws.aws_ssm connection plugin

AWS_PROFILE

See the documentations for the options where this environment variable is used.

AWS_REGION

See the documentations for the options where this environment variable is used.

AWS_SECRET_ACCESS_KEY

See the documentations for the options where this environment variable is used.

AWS_SECRET_KEY

See the documentations for the options where this environment variable is used.

AWS_SECURITY_TOKEN

See the documentations for the options where this environment variable is used.

AWS_SESSION_TOKEN

See the documentations for the options where this environment variable is used.

AWS_URL

URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS.

The endpoint alias has been deprecated and will be removed in a release after 2024-12-01.

BWS_ACCESS_TOKEN

The BWS access token to use for this lookup.

Used by: community.general.bitwarden_secrets_manager lookup plugin

CGROUP_CONTROL_GROUP

Name of cgroups control group

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_CPU_POLL_INTERVAL

Interval between CPU polling for determining CPU usage. A lower value may produce inaccurate results, a higher value may not be short enough to collect results for short tasks.

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_CUR_MEM_FILE

Path to memory.usage_in_bytes file. Example /sys/fs/cgroup/memory/ansible_profile/memory.usage_in_bytes.

Used by: community.general.cgroup_memory_recap callback plugin

CGROUP_DISPLAY_RECAP

Controls whether the recap is printed at the end, useful if you will automatically process the output files

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_FILE_NAME_FORMAT

Format of filename. Accepts %(counters), %(task_uuids), %(features), %(exts). Defaults to %(features.%(ext)s) when file_per_task is False and %(counters-%(task_uuid)s-%(feature)s.%(ext)s) when True

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_FILE_PER_TASK

When set as True along with write_files, this callback will write 1 file per task instead of 1 file for the entire playbook run

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_MAX_MEM_FILE

Path to cgroups memory.max_usage_in_bytes file. Example /sys/fs/cgroup/memory/ansible_profile/memory.max_usage_in_bytes.

Used by: community.general.cgroup_memory_recap callback plugin

CGROUP_MEMORY_POLL_INTERVAL

Interval between memory polling for determining memory usage. A lower value may produce inaccurate results, a higher value may not be short enough to collect results for short tasks.

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_OUTPUT_DIR

Output directory for files containing recorded performance readings. If the value contains a single %s, the start time of the playbook run will be inserted in that space. Only the deepest level directory will be created if it does not exist, parent directories will not be created.

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_OUTPUT_FORMAT

Output format, either CSV or JSON-seq

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_PID_POLL_INTERVAL

Interval between PID polling for determining PID count. A lower value may produce inaccurate results, a higher value may not be short enough to collect results for short tasks.

Used by: ansible.posix.cgroup_perf_recap callback plugin

CGROUP_WRITE_FILES

Dictates whether files will be written containing performance readings

Used by: ansible.posix.cgroup_perf_recap callback plugin

CLOUDSTACK_ENDPOINT

URL of the CloudStack API e.g. https://cloud.example.com/client/api.

If not given, the CLOUDSTACK_ENDPOINT env variable is considered.

Used by: ngine_io.cloudstack.instance inventory plugin

CLOUDSTACK_KEY

API key of the CloudStack API.

If not given, the CLOUDSTACK_KEY env variable is considered.

Used by: ngine_io.cloudstack.instance inventory plugin

CLOUDSTACK_METHOD

HTTP method used to query the API endpoint.

If not given, the CLOUDSTACK_METHOD env variable is considered.

Used by: ngine_io.cloudstack.instance inventory plugin

CLOUDSTACK_SECRET

Secret key of the CloudStack API.

If not set, the CLOUDSTACK_SECRET env variable is considered.

Used by: ngine_io.cloudstack.instance inventory plugin

CLOUDSTACK_TIMEOUT

HTTP timeout in seconds.

If not given, the CLOUDSTACK_TIMEOUT env variable is considered.

Used by: ngine_io.cloudstack.instance inventory plugin

CLOUDSTACK_VERIFY

Verify CA authority cert file.

If not given, the CLOUDSTACK_VERIFY env variable is considered.

Used by: ngine_io.cloudstack.instance inventory plugin

COBBLER_PASSWORD

Cobbler authentication password.

Used by: community.general.cobbler inventory plugin

COBBLER_SERVER

URL to cobbler.

Used by: community.general.cobbler inventory plugin

COBBLER_USER

Cobbler authentication user.

Used by: community.general.cobbler inventory plugin

CONJUR_AUTHN_TOKEN_FILE

Path to the access token file.

Used by: cyberark.conjur.conjur_variable lookup plugin

CONJUR_CONFIG_FILE

Path to the Conjur configuration file. The configuration file is a YAML file.

Used by: cyberark.conjur.conjur_variable lookup plugin

CONJUR_IDENTITY_FILE

Path to the Conjur identity file. The identity file follows the netrc file format convention.

Used by: cyberark.conjur.conjur_variable lookup plugin

CONTROLLER_HOST

The network address of your Automation Platform Controller host.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

CONTROLLER_INVENTORY

The ID of the inventory that you wish to import.

This is allowed to be either the inventory primary key or its named URL slug.

Primary key values will be accepted as strings or integers, and URL slugs must be strings.

Named URL slugs follow the syntax of “inventory_name++organization_name”.

Used by: awx.awx.controller inventory plugin

CONTROLLER_OAUTH_TOKEN

The OAuth token to use.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

CONTROLLER_PASSWORD

The password for your controller user.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

CONTROLLER_REQUEST_TIMEOUT

Specify the timeout Ansible should use in requests to the controller host.

Defaults to 10 seconds

This will not work with the export or import modules.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

CONTROLLER_USERNAME

The user that you plan to use to access inventories on the controller.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

CONTROLLER_VERIFY_SSL

Specify whether Ansible should verify the SSL certificate of the controller host.

Defaults to True, but this is handled by the shared module_utils code

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

DSV_CLIENT_ID

The client_id with which to request the Access Grant.

DSV_CLIENT_SECRET

The client secret associated with the specific client_id.

DSV_TENANT

The first format parameter in the default url_template.

DSV_TLD

The top-level domain of the tenant; the second format parameter in the default url_template.

DSV_URL_TEMPLATE

The path to prepend to the base URL to form a valid REST API request.

Used by: amazon.aws.aws_account_attribute lookup plugin, amazon.aws.aws_ec2 inventory plugin, amazon.aws.aws_rds inventory plugin, amazon.aws.secretsmanager_secret lookup plugin, amazon.aws.ssm_parameter lookup plugin, community.aws.aws_mq inventory plugin

EC2_ACCESS_KEY

See the documentations for the options where this environment variable is used.

EC2_REGION

See the documentations for the options where this environment variable is used.

EC2_SECRET_KEY

See the documentations for the options where this environment variable is used.

EC2_SECURITY_TOKEN

See the documentations for the options where this environment variable is used.

EC2_URL

URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS.

The endpoint alias has been deprecated and will be removed in a release after 2024-12-01.

ELASTIC_APM_API_KEY

Use the APM API key

Used by: community.general.elastic callback plugin

ELASTIC_APM_SECRET_TOKEN

Use the APM server token

Used by: community.general.elastic callback plugin

ELASTIC_APM_SERVER_URL

Use the APM server and its environment variables.

Used by: community.general.elastic callback plugin

ELASTIC_APM_SERVICE_NAME

The service name resource attribute.

Used by: community.general.elastic callback plugin

ELASTIC_APM_VERIFY_SERVER_CERT

Verifies the SSL certificate if an HTTPS connection.

Used by: community.general.elastic callback plugin

ETCDCTL_CACERT

etcd3 CA authority.

ETCDCTL_CERT

etcd3 client certificate.

ETCDCTL_DIAL_TIMEOUT

Client timeout.

ETCDCTL_ENDPOINTS

Counterpart of ETCDCTL_ENDPOINTS environment variable. Specify the etcd3 connection with and URL form, for example https://hostname:2379, or <host>:<port> form.

The host part is overwritten by host option, if defined.

The port part is overwritten by port option, if defined.

ETCDCTL_KEY

etcd3 client private key.

ETCDCTL_PASSWORD

Authenticated user password.

ETCDCTL_USER

Authenticated user name.

FOREMAN_CALLBACK_DISABLE

Toggle to make the callback plugin disable itself even if it is loaded.

It can be set to ‘1’ to prevent the plugin from being used even if it gets loaded.

Used by: theforeman.foreman.foreman callback plugin

FOREMAN_DIR_STORE

When set, callback does not perform HTTP calls but stores results in a given directory.

For each report, new file in the form of SEQ_NO-hostname.json is created.

For each facts, new file in the form of SEQ_NO-hostname.json is created.

The value must be a valid directory.

This is meant for debugging and testing purposes.

When set to blank (default) this functionality is turned off.

Used by: theforeman.foreman.foreman callback plugin

FOREMAN_PASSWORD

Password of the user accessing the Foreman server.

Used by: theforeman.foreman.foreman inventory plugin

FOREMAN_PROXY_URL

URL of the Foreman Smart Proxy server.

Used by: theforeman.foreman.foreman callback plugin

FOREMAN_REPORT_TYPE

endpoint type for reports: foreman or proxy

Used by: theforeman.foreman.foreman callback plugin

FOREMAN_SERVER

URL of the Foreman server.

Used by: theforeman.foreman.foreman callback plugin, theforeman.foreman.foreman inventory plugin

FOREMAN_SERVER_URL

URL of the Foreman server.

Used by: theforeman.foreman.foreman callback plugin, theforeman.foreman.foreman inventory plugin

FOREMAN_SSL_CERT

X509 certificate to authenticate to Foreman if https is used

Used by: theforeman.foreman.foreman callback plugin

FOREMAN_SSL_KEY

the corresponding private key

Used by: theforeman.foreman.foreman callback plugin

FOREMAN_SSL_VERIFY

Toggle to decide whether to verify the Foreman certificate.

It can be set to ‘1’ to verify SSL certificates using the installed CAs or to a path pointing to a CA bundle.

Set to ‘0’ to disable certificate checking.

Used by: theforeman.foreman.foreman callback plugin

FOREMAN_URL

URL of the Foreman server.

Used by: theforeman.foreman.foreman callback plugin, theforeman.foreman.foreman inventory plugin

FOREMAN_USER

Username accessing the Foreman server.

Used by: theforeman.foreman.foreman inventory plugin

FOREMAN_USERNAME

Username accessing the Foreman server.

Used by: theforeman.foreman.foreman inventory plugin

FOREMAN_VALIDATE_CERTS

Whether or not to verify the TLS certificates of the Foreman server.

Used by: theforeman.foreman.foreman inventory plugin

GCE_CREDENTIALS_FILE_PATH

The path of a Service Account JSON file if serviceaccount is selected as type.

Used by: google.cloud.gcp_compute inventory plugin

GCP_ACCESS_TOKEN

An OAuth2 access token if credential type is accesstoken.

Used by: google.cloud.gcp_compute inventory plugin

GCP_AUTH_KIND

The type of credential used.

Used by: google.cloud.gcp_compute inventory plugin

GCP_SCOPES

list of authentication scopes

Used by: google.cloud.gcp_compute inventory plugin

GCP_SERVICE_ACCOUNT_CONTENTS

A string representing the contents of a Service Account JSON file. This should not be passed in as a dictionary, but a string that has the exact contents of a service account json file (valid JSON).

Used by: google.cloud.gcp_compute inventory plugin

GCP_SERVICE_ACCOUNT_EMAIL

An optional service account email address if machineaccount is selected and the user does not wish to use the default email.

Used by: google.cloud.gcp_compute inventory plugin

GCP_SERVICE_ACCOUNT_FILE

The path of a Service Account JSON file if serviceaccount is selected as type.

Used by: google.cloud.gcp_compute inventory plugin

GITLAB_API_TOKEN

GitLab token for logging in.

Used by: community.general.gitlab_runners inventory plugin

GITLAB_FILTER

filter runners from GitLab API

Used by: community.general.gitlab_runners inventory plugin

GITLAB_SERVER_URL

The URL of the GitLab server, with protocol (i.e. http or https).

Used by: community.general.gitlab_runners inventory plugin

GRAFANA_API_KEY

See the documentations for the options where this environment variable is used.

Used by: community.grafana.grafana_annotations callback plugin, community.grafana.grafana_dashboard lookup plugin

GRAFANA_DASHBOARD_ID

The grafana dashboard id where the annotation shall be created.

Used by: community.grafana.grafana_annotations callback plugin

GRAFANA_DASHBOARD_SEARCH

optional filter for dashboard search.

Used by: community.grafana.grafana_dashboard lookup plugin

GRAFANA_ORG_ID

grafana organisation id.

Used by: community.grafana.grafana_dashboard lookup plugin

GRAFANA_PANEL_IDS

The grafana panel ids where the annotation shall be created. Give a single integer or a comma-separated list of integers.

Used by: community.grafana.grafana_annotations callback plugin

GRAFANA_PASSWORD

See the documentations for the options where this environment variable is used.

Used by: community.grafana.grafana_annotations callback plugin, community.grafana.grafana_dashboard lookup plugin

GRAFANA_URL

See the documentations for the options where this environment variable is used.

Used by: community.grafana.grafana_annotations callback plugin, community.grafana.grafana_dashboard lookup plugin

GRAFANA_USER

See the documentations for the options where this environment variable is used.

Used by: community.grafana.grafana_annotations callback plugin, community.grafana.grafana_dashboard lookup plugin

GRAFANA_VALIDATE_CERT

validate the SSL certificate of the Grafana server. (For HTTPS url)

Used by: community.grafana.grafana_annotations callback plugin

HCLOUD_ENDPOINT

The API Endpoint for the Hetzner Cloud.

Used by: hetzner.hcloud.hcloud inventory plugin

HCLOUD_TOKEN

The API Token for the Hetzner Cloud.

Used by: hetzner.hcloud.hcloud inventory plugin

HETZNER_DNS_TOKEN

The token for the Hetzner API.

If not provided, will be read from the environment variable HETZNER_DNS_TOKEN.

Used by: community.dns.hetzner_dns_records inventory plugin

HIPCHAT_API_VERSION

HipChat API version, v1 or v2.

Used by: community.general.hipchat callback plugin

HIPCHAT_FROM

Name to post as

Used by: community.general.hipchat callback plugin

HIPCHAT_NOTIFY

Add notify flag to important messages

Used by: community.general.hipchat callback plugin

HIPCHAT_ROOM

HipChat room to post in.

Used by: community.general.hipchat callback plugin

HIPCHAT_TOKEN

HipChat API token for v1 or v2 API.

Used by: community.general.hipchat callback plugin

HROBOT_API_PASSWORD

The password for the Robot webservice user.

Used by: community.hrobot.robot inventory plugin

HROBOT_API_USER

The username for the Robot webservice user.

Used by: community.hrobot.robot inventory plugin

HTTP_AGENT

The HTTP ‘User-agent’ value to set in HTTP requets.

Used by: community.grafana.grafana_annotations callback plugin

INFOBLOX_HOST

Specifies the DNS host name or address for connecting to the remote instance of NIOS WAPI over REST.

Value can also be specified using INFOBLOX_HOST environment variable.

Used by: infoblox.nios_modules.nios_inventory inventory plugin

INFOBLOX_PASSWORD

Specifies the password to use to authenticate the connection to the remote instance of NIOS.

Value can also be specified using INFOBLOX_PASSWORD environment variable.

Used by: infoblox.nios_modules.nios_inventory inventory plugin

INFOBLOX_USERNAME

Configures the username to use to authenticate the connection to the remote instance of NIOS.

Value can also be specified using INFOBLOX_USERNAME environment variable.

Used by: infoblox.nios_modules.nios_inventory inventory plugin

JABBER_PASS

Password for the user to the jabber server

Used by: community.general.jabber callback plugin

JABBER_SERV

connection info to jabber server

Used by: community.general.jabber callback plugin

JABBER_TO

chat identifier that will receive the message

Used by: community.general.jabber callback plugin

JABBER_USER

Jabber user to authenticate as

Used by: community.general.jabber callback plugin

JUNIT_FAIL_ON_CHANGE

Consider any tasks reporting “changed” as a junit test failure

JUNIT_FAIL_ON_IGNORE

Consider failed tasks as a junit test failure even if ignore_on_error is set

JUNIT_HIDE_TASK_ARGUMENTS

Hide the arguments for a task

JUNIT_INCLUDE_SETUP_TASKS_IN_REPORT

Should the setup tasks be included in the final report

JUNIT_OUTPUT_DIR

Directory to write XML files to.

JUNIT_REPLACE_OUT_OF_TREE_PATH

Replace the directory portion of an out-of-tree relative task path with the given placeholder

JUNIT_TASK_CLASS

Configure the output to be one class per yaml file

JUNIT_TASK_RELATIVE_PATH

Configure the output to use relative paths to given directory

JUNIT_TEST_CASE_PREFIX

Consider a task only as test case if it has this value as prefix. Additionally failing tasks are recorded as failed test cases.

K8S_AUTH_API_KEY

See the documentations for the options where this environment variable is used.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_CERT_FILE

Path to a certificate used to authenticate with the API.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_CONTAINER

See the documentations for the options where this environment variable is used.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_CONTEXT

The name of a context found in the K8s config file.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_EXTRA_ARGS

See the documentations for the options where this environment variable is used.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_HOST

URL for accessing the API.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_KEY_FILE

Path to a key file used to authenticate with the API.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_KUBECONFIG

See the documentations for the options where this environment variable is used.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_NAMESPACE

The namespace of the pod

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_PASSWORD

Provide a password for authenticating with the API.

Please be aware that this passes information directly on the command line and it could expose sensitive data. We recommend using the file based authentication options instead.

Used by: kubernetes.core.kubectl connection plugin

K8S_AUTH_POD

See the documentations for the options where this environment variable is used.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_SERVER

URL for accessing the API.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_SSL_CA_CERT

Path to a CA certificate used to authenticate with the API.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_TOKEN

See the documentations for the options where this environment variable is used.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

K8S_AUTH_USERNAME

Provide a username for authenticating with the API.

Used by: kubernetes.core.kubectl connection plugin

K8S_AUTH_VERIFY_SSL

Whether or not to verify the API server’s SSL certificate. Defaults to true.

Used by: community.okd.oc connection plugin, kubernetes.core.kubectl connection plugin

LINODE_ACCESS_TOKEN

The Linode account personal access token.

Used by: community.general.linode inventory plugin

LOGDNA_HOSTNAME

Alternative Host Name; the current host name by default.

Used by: community.general.logdna callback plugin

LOGDNA_INGESTION_KEY

LogDNA Ingestion Key.

Used by: community.general.logdna callback plugin

LOGDNA_TAGS

Tags.

Used by: community.general.logdna callback plugin

LOGENTRIES_ANSIBLE_TOKEN

The logentries TCP token.

Used by: community.general.logentries callback plugin

LOGENTRIES_API

URI to the Logentries API.

Used by: community.general.logentries callback plugin

LOGENTRIES_FLATTEN

Flatten complex data structures into a single dictionary with complex keys.

Used by: community.general.logentries callback plugin

LOGENTRIES_PORT

HTTP port to use when connecting to the API.

Used by: community.general.logentries callback plugin

LOGENTRIES_TLS_PORT

Port to use when connecting to the API when TLS is enabled.

Used by: community.general.logentries callback plugin

LOGENTRIES_USE_TLS

Toggle to decide whether to use TLS to encrypt the communications with the API server.

Used by: community.general.logentries callback plugin

LOGSTASH_FORMAT_VERSION

Logging format.

Used by: community.general.logstash callback plugin

LOGSTASH_PORT

Port on which logstash is listening.

Used by: community.general.logstash callback plugin

LOGSTASH_PRE_COMMAND

Executes command before run and its result is added to the ansible_pre_command_output logstash field.

Used by: community.general.logstash callback plugin

LOGSTASH_SERVER

Address of the Logstash server.

Used by: community.general.logstash callback plugin

LOGSTASH_TYPE

Message type.

Used by: community.general.logstash callback plugin

MANIFOLD_API_TOKEN

manifold API token

Used by: community.general.manifold lookup plugin

MICROSOFT_AD_LDAP_AUTH_PROTOCOL

The authentication protocol to use when connecting to the LDAP host.

Defaults to certificate if LDAPS/StartTLS is used and certificate has been specified. Otherwise it defaults to negotiate.

simple is simple authentication where the user and password are sent in plaintext. It does not support any encryption so either must be used with LDAPS, or StartTLS. If using over a plaintext LDAP connection without TLS, encrypt=False must be specified to explicitly opt into no encryption.

certificate is TLS client certificate authentication. It can only be used with LDAPS or StartTLS. See certificate for more information on how to specify the client certificate used for authentication.

negotiate will attempt to negotiate Kerberos authentication with a fallback to NTLM. If Kerberos is available the Kerberos credential cache can be used if no username or password is specified.

kerberos will use Kerberos authentication with no NTLM fallback.

ntlm will use NTLM authentication with no Kerberos attempt.

negotiate, kerberos, and ntlm support encryption over LDAP.

Kerberos support requires the pyspnego[kerberos] extras to be installed.

See LDAP authentication for more information.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_CA_CERT

Can be the path to a CA certificate PEM or DER file, directory of PEM certificates, or the CA certificate PEM string that is used for certificate validation.

If omitted, the default CA store used for validation is dependent on the current Python settings.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_CERT_VALIDATION

The certificate validation behaviour when using a TLS connection.

This can be set to always, ignore, ignore_hostname.

always will perform certificate hostname and CA validation.

ignore will ignore any certificate errors.

ignore_hostname will validate the CA trust chain but will ignore any hostname checks performed by TLS.

See Certificate validation for more information.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_CERTIFICATE

The certificate or certificate with key bundle that is used for certificate authentication.

The value can either be a path to a file containing the certificate or string of the PEM encoded certificate.

If using a path to a certificate file, the file can be a PEM encoded certificate, a PEM encoded certificate and key bundle, a DER encoded certificate, or a PFX/PKCS12 encoded certificate and key bundle.

Use certificate_key if the certificate specified does not contain the key.

Use certificate_password if the key is encrypted with a password.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_CERTIFICATE_KEY

The certificate key that is used for certificate authentication.

The value can either be a path to a file containing the key in the PEM or DER encoded form, or it can be the string of a PEM encoded key.

Use certificate_password if the key is encrypted with a password.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_CERTIFICATE_PASSWORD

The password used to decrypt the certificate key specified by certificate or certificate_key.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_CONNECTION_TIMEOUT

The timeout in seconds to wait until the connection is established before failing.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_ENCRYPT

Whether encryption is required for the connection.

Encryption can either be performed using the authentication protocol or through TLS.

The auth_protocol negotiate, kerberos, and ntlm all support encryption over LDAP whereas simple does not.

If using auth_protocol=simple over LDAP without TLS then this must be set to False. As no encryption is used, all traffic will be in plaintext and should be avoided.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_PASSWORD

The password to authenticate with.

If auth_protocol is simple and no password is specified, the bind will be performed as an unauthenticated bind.

If auth_protocol is negotiate, kerberos, or ntlm and no password is specified, it will attempt to use the local cached credential specified by username if available.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_PORT

The LDAP port to use for the connection.

Port 389 is used for LDAP and port 686 is used for LDAPS.

Defaults to port 636 if tls_mode=ldaps otherwise 389.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_SERVER

The domain controller/server to connect to.

If not specified the server will be derived from the current krb5.conf default_realm setting and with an SRV DNS lookup.

See Server lookup for more information.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_TLS_MODE

The TLS operation to use.

If an explicit port is set to 636 then this defaults to ldaps.

ldaps will connect over LDAPS (port 636).

start_tls will connect over LDAP (port 389) and perform the StartTLS operation before the authentication bind.

It is recommended to use ldaps over start_tls if TLS is going to be used.

This option can be set using a Jinja2 template value.

MICROSOFT_AD_LDAP_USERNAME

The username to authenticate with.

If auth_protocol is simple and no username is specified, anonymous authentication is used.

If auth_protocol is negotiate, kerberos, or ntlm and no username is specified, it will attempt to use the local cached credential if available, for example one retrieved by kinit.

This option can be set using a Jinja2 template value.

NETBOX_API

See the documentations for the options where this environment variable is used.

Used by: netbox.netbox.nb_inventory inventory plugin, netbox.netbox.nb_lookup lookup plugin

NETBOX_API_KEY

NetBox API token to be able to read against NetBox.

This may not be required depending on the NetBox setup.

You can provide a “type” and “value” for a token if your NetBox deployment is using a more advanced authentication like OAUTH.

If you do not provide a “type” and “value” parameter, the HTTP authorization header will be set to “Token”, which is the NetBox default

Used by: netbox.netbox.nb_inventory inventory plugin

NETBOX_API_TOKEN

The API token created through NetBox

This may not be required depending on the NetBox setup.

Used by: netbox.netbox.nb_lookup lookup plugin

NETBOX_TOKEN

See the documentations for the options where this environment variable is used.

Used by: netbox.netbox.nb_inventory inventory plugin, netbox.netbox.nb_lookup lookup plugin

NETBOX_URL

The URL to the NetBox instance to query

Used by: netbox.netbox.nb_lookup lookup plugin

NRDP_HOSTNAME

Hostname where the passive check is linked to.

NRDP_SERVICENAME

Service where the passive check is linked to.

NRDP_TOKEN

Token to be allowed to push nrdp events.

NRDP_URL

URL of the nrdp server.

NRDP_VALIDATE_CERTS

Validate the SSL certificate of the nrdp server. (Used for HTTPS URLs.)

Used by: community.general.onepassword lookup plugin, community.general.onepassword_doc lookup plugin, community.general.onepassword_raw lookup plugin

OME_HOSTNAME

OpenManage Enterprise or OpenManage Enterprise Modular IP address or hostname.

If the value is not specified in the task, the value of environment variable OME_HOSTNAME will be used instead.

Used by: dellemc.openmanage.ome_inventory inventory plugin

OME_PASSWORD

OpenManage Enterprise or OpenManage Enterprise Modular password.

If the value is not specified in the task, the value of environment variable OME_PASSWORD will be used instead.

Used by: dellemc.openmanage.ome_inventory inventory plugin

OME_USERNAME

OpenManage Enterprise or OpenManage Enterprise Modular username.

If the value is not specified in the task, the value of environment variable OME_USERNAME will be used instead.

Used by: dellemc.openmanage.ome_inventory inventory plugin

ONE_AUTH

If both api_username or api_password are not set, then it will try authenticate with ONE auth file. Default path is ~/.one/one_auth.

Set environment variable ONE_AUTH to override this path.

Used by: community.general.opennebula inventory plugin

ONE_PASSWORD

Password or a token of the user to login into OpenNebula RPC server.

If not set, the value of the ONE_PASSWORD environment variable is used.

Used by: community.general.opennebula inventory plugin

ONE_URL

URL of the OpenNebula RPC server.

It is recommended to use HTTPS so that the username/password are not transferred over the network unencrypted.

If not set then the value of the ONE_URL environment variable is used.

Used by: community.general.opennebula inventory plugin

ONE_USERNAME

Name of the user to login into the OpenNebula RPC server. If not set then the value of the ONE_USERNAME environment variable is used.

Used by: community.general.opennebula inventory plugin

ONLINE_API_KEY

Online OAuth token.

Used by: community.general.online inventory plugin

ONLINE_OAUTH_TOKEN

Online OAuth token.

Used by: community.general.online inventory plugin

ONLINE_TOKEN

Online OAuth token.

Used by: community.general.online inventory plugin

OP_CONNECT_HOST

The host for 1Password Connect. Must be used in combination with connect_token.

OP_CONNECT_TOKEN

The token for 1Password Connect. Must be used in combination with connect_host.

Used by: community.general.onepassword lookup plugin, community.general.onepassword_doc lookup plugin, community.general.onepassword_raw lookup plugin

OP_SERVICE_ACCOUNT_TOKEN

The access key for a service account.

Only works with 1Password CLI version 2 or later.

Used by: community.general.onepassword lookup plugin, community.general.onepassword_doc lookup plugin, community.general.onepassword_raw lookup plugin

OS_CLIENT_CONFIG_FILE

Override path to clouds.yaml file.

If this value is given it will be searched first.

Search paths for cloud credentials are complemented with files /etc/ansible/openstack.{yaml,yml}.

Default search paths are documented in https://docs.openstack.org/os-client-config/latest/user/configuration.html#config-files.

Used by: openstack.cloud.openstack inventory plugin

OTEL_SERVICE_NAME

The service name resource attribute.

Used by: community.general.opentelemetry callback plugin

OVIRT_PASSWORD

ovirt authentication password.

Used by: ovirt.ovirt.ovirt inventory plugin

OVIRT_URL

URL to ovirt-engine API.

Used by: ovirt.ovirt.ovirt inventory plugin

OVIRT_USERNAME

ovirt authentication user.

Used by: ovirt.ovirt.ovirt inventory plugin

PASSWORD_STORE_DIR

The directory of the password store.

If backend=pass, the default is ~/.password-store is used.

If backend=gopass, then the default is the path field in ~/.config/gopass/config.yml, falling back to ~/.local/share/gopass/stores/root if path is not defined in the gopass config.

Used by: community.general.passwordstore lookup plugin

PASSWORD_STORE_UMASK

Sets the umask for the created .gpg files. The first octed must be greater than 3 (user readable).

Note pass’ default value is '077'.

Used by: community.general.passwordstore lookup plugin

PROFILE_TASKS_SORT_ORDER

Adjust the sorting output of summary tasks

Used by: ansible.posix.profile_tasks callback plugin

PROFILE_TASKS_TASK_OUTPUT_LIMIT

Number of tasks to display in the summary

Used by: ansible.posix.profile_tasks callback plugin

PROXMOX_PASSWORD

Proxmox authentication password.

If the value is not specified in the inventory configuration, the value of environment variable PROXMOX_PASSWORD will be used instead.

Since community.general 4.7.0 you can also use templating to specify the value of the password.

If you do not specify a password, you must set token_id and token_secret instead.

Used by: community.general.proxmox inventory plugin

PROXMOX_TOKEN_ID

Proxmox authentication token ID.

If the value is not specified in the inventory configuration, the value of environment variable PROXMOX_TOKEN_ID will be used instead.

To use token authentication, you must also specify token_secret. If you do not specify token_id and token_secret, you must set a password instead.

Make sure to grant explicit pve permissions to the token or disable ‘privilege separation’ to use the users’ privileges instead.

Used by: community.general.proxmox inventory plugin

PROXMOX_TOKEN_SECRET

Proxmox authentication token secret.

If the value is not specified in the inventory configuration, the value of environment variable PROXMOX_TOKEN_SECRET will be used instead.

To use token authentication, you must also specify token_id. If you do not specify token_id and token_secret, you must set a password instead.

Used by: community.general.proxmox inventory plugin

PROXMOX_URL

URL to Proxmox cluster.

If the value is not specified in the inventory configuration, the value of environment variable PROXMOX_URL will be used instead.

Since community.general 4.7.0 you can also use templating to specify the value of the url.

Used by: community.general.proxmox inventory plugin

PROXMOX_USER

Proxmox authentication user.

If the value is not specified in the inventory configuration, the value of environment variable PROXMOX_USER will be used instead.

Since community.general 4.7.0 you can also use templating to specify the value of the user.

Used by: community.general.proxmox inventory plugin

SCW_API_KEY

Scaleway OAuth token.

If not explicitly defined or in environment variables, it will try to lookup in the scaleway-cli configuration file ($SCW_CONFIG_PATH, $XDG_CONFIG_HOME/scw/config.yaml, or ~/.config/scw/config.yaml).

More details on how to generate token.

Used by: community.general.scaleway inventory plugin

SCW_OAUTH_TOKEN

Scaleway OAuth token.

If not explicitly defined or in environment variables, it will try to lookup in the scaleway-cli configuration file ($SCW_CONFIG_PATH, $XDG_CONFIG_HOME/scw/config.yaml, or ~/.config/scw/config.yaml).

More details on how to generate token.

Used by: community.general.scaleway inventory plugin

SCW_TOKEN

Scaleway OAuth token.

If not explicitly defined or in environment variables, it will try to lookup in the scaleway-cli configuration file ($SCW_CONFIG_PATH, $XDG_CONFIG_HOME/scw/config.yaml, or ~/.config/scw/config.yaml).

More details on how to generate token.

Used by: community.general.scaleway inventory plugin

SLACK_CHANNEL

Slack room to post in.

SLACK_USERNAME

Username to post as.

SLACK_VALIDATE_CERTS

Validate the SSL certificate of the Slack server for HTTPS URLs.

SLACK_WEBHOOK_URL

Slack Webhook URL.

SMTPHOST

Mail Transfer Agent, server that accepts SMTP.

Used by: community.general.mail callback plugin

SOPS_ANSIBLE_AWX_DISABLE_VARS_PLUGIN_TEMPORARILY

Temporarily disable this plugin.

Useful if ansible-inventory is supposed to be run without decrypting secrets (in AWX for instance).

Used by: community.sops.sops vars plugin

SPLUNK_AUTHTOKEN

Token to authenticate the connection to the Splunk HTTP collector.

Used by: community.general.splunk callback plugin

SPLUNK_BATCH

Correlation ID which can be set across multiple playbook executions.

Used by: community.general.splunk callback plugin

SPLUNK_INCLUDE_MILLISECONDS

Whether to include milliseconds as part of the generated timestamp field in the event sent to the Splunk HTTP collector.

Used by: community.general.splunk callback plugin

SPLUNK_URL

URL to the Splunk HTTP collector source.

Used by: community.general.splunk callback plugin

SPLUNK_VALIDATE_CERTS

Whether to validate certificates for connections to HEC. It is not recommended to set to false except when you are sure that nobody can intercept the connection between this plugin and HEC, as setting it to false allows man-in-the-middle attacks!

Used by: community.general.splunk callback plugin

SUMOLOGIC_URL

URL to the Sumologic HTTP collector source.

Used by: community.general.sumologic callback plugin

SYSLOG_FACILITY

Syslog facility to log as.

Used by: community.general.syslog_json callback plugin

SYSLOG_PORT

Port on which the syslog server is listening.

Used by: community.general.syslog_json callback plugin

SYSLOG_SERVER

Syslog server that will receive the event.

Used by: community.general.syslog_json callback plugin

TOWER_HOST

The network address of your Automation Platform Controller host.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

TOWER_OAUTH_TOKEN

The OAuth token to use.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

TOWER_PASSWORD

The password for your controller user.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

TOWER_USERNAME

The user that you plan to use to access inventories on the controller.

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

TOWER_VERIFY_SSL

Specify whether Ansible should verify the SSL certificate of the controller host.

Defaults to True, but this is handled by the shared module_utils code

Used by: awx.awx.controller inventory plugin, awx.awx.controller_api lookup plugin

TRACEPARENT

The W3C Trace Context header traceparent.

Used by: community.general.elastic callback plugin, community.general.opentelemetry callback plugin

TSS_API_PATH_URI

The path to append to the base URL to form a valid REST API request.

TSS_BASE_URL

The base URL of the server, for example https://localhost/SecretServer.

TSS_DOMAIN

The domain with which to request the OAuth2 Access Grant.

Optional when token is not provided.

Requires python-tss-sdk version 1.0.0 or greater.

TSS_PASSWORD

The password associated with the supplied username.

Required when token is not provided.

TSS_TOKEN

Existing token for Thycotic authorizer.

If provided, username and password are not needed.

Requires python-tss-sdk version 1.0.0 or greater.

TSS_TOKEN_PATH_URI

The path to append to the base URL to form a valid OAuth2 Access Grant request.

TSS_USERNAME

The username with which to request the OAuth2 Access Grant.