community.general.credstash lookup – retrieve secrets from Credstash on AWS
Note
This lookup plugin is part of the community.general collection (version 10.1.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: community.general.credstash
.
Synopsis
Credstash is a small utility for managing secrets using AWS’s KMS and DynamoDB: https://github.com/fugue/credstash
Requirements
The below requirements are needed on the local controller node that executes this lookup.
credstash (python library)
Terms
Parameter |
Comments |
---|---|
term or list of terms to lookup in the credit store |
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1
, key2=value2
and so on in the following
examples: lookup('community.general.credstash', key1=value1, key2=value2, ...)
and query('community.general.credstash', key1=value1, key2=value2, ...)
Parameter |
Comments |
---|---|
AWS region |
|
name of the credstash table to query Default: |
|
Credstash version Default: |
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
lookup('community.general.credstash', term1, term2, key1=value1, key2=value2)
andquery('community.general.credstash', term1, term2, key1=value1, key2=value2)
Examples
- name: first use credstash to store your secrets
ansible.builtin.shell: credstash put my-github-password secure123
- name: "Test credstash lookup plugin -- get my github password"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"
- name: "Test credstash lookup plugin -- get my other password from us-west-1"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"
- name: "Test credstash lookup plugin -- get the company's github password"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"
- name: Example play using the 'context' feature
hosts: localhost
vars:
context:
app: my_app
environment: production
tasks:
- name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
ansible.builtin.debug:
msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"
- name: "Test credstash lookup plugin -- get the password with a context defined here"
ansible.builtin.debug:
msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"
Return Value
Key |
Description |
---|---|
Value(s) stored in Credstash. Returned: success |