community.general.credstash – retrieve secrets from Credstash on AWS

Note

This plugin is part of the community.general collection (version 4.2.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.credstash.

Synopsis

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • credstash (python library)

Parameters

Parameter Choices/Defaults Configuration Comments
_terms
list / elements=string / required
term or list of terms to lookup in the credit store
aws_access_key_id
string
env:AWS_ACCESS_KEY_ID
AWS access key ID
aws_secret_access_key
string
env:AWS_SECRET_ACCESS_KEY
AWS access key
aws_session_token
string
env:AWS_SESSION_TOKEN
AWS session token
profile_name
string
env:AWS_PROFILE
AWS profile to use for authentication
region
string
AWS region
table
string / required
Default:
"credential-store"
name of the credstash table to query
version
string
Credstash version

Examples

- name: first use credstash to store your secrets
  ansible.builtin.shell: credstash put my-github-password secure123

- name: "Test credstash lookup plugin -- get my github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"

- name: "Test credstash lookup plugin -- get my other password from us-west-1"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"

- name: "Test credstash lookup plugin -- get the company's github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"

- name: Example play using the 'context' feature
  hosts: localhost
  vars:
    context:
      app: my_app
      environment: production
  tasks:

  - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"

  - name: "Test credstash lookup plugin -- get the password with a context defined here"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key Returned Description
_raw
string
success
Value(s) stored in Credstash.



Authors

  • Unknown (!UNKNOWN)