community.general.proton_pass lookup – Fetch secrets from Proton Pass via the pass-cli command-line tool.
Note
This lookup plugin is part of the community.general collection (version 13.2.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: community.general.proton_pass.
New in community.general 13.2.0
Synopsis
Retrieves secrets stored in Proton Pass by calling the
pass-clibinary on the Ansible control machine.When only one item title is given, returns a dictionary of all extra fields for that item so the caller can access individual secrets by key.
When a field name is also given, returns the field value as a string directly, without parsing JSON.
Every lookup invokes
pass-clidirectly — no in-process caching — so each call always reflects the current vault state.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
pass-cliinstalled on the Ansible control machine (see https://github.com/protonpass/pass-cli)
Terms
Parameter |
Comments |
|---|---|
One or more Proton Pass item titles to look up. If exactly two terms are given and |
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following
examples: lookup('community.general.proton_pass', key1=value1, key2=value2, ...) and query('community.general.proton_pass', key1=value1, key2=value2, ...)
Parameter |
Comments |
|---|---|
Human-readable reason string required by Proton Pass when authenticating with an agent token (as opposed to a personal account PAT). Maps to the Agent tokens are the recommended authentication mechanism for CI/CD pipelines and automated processes — they are scoped to specific vaults, carry an expiration date, and produce an encrypted audit log. Create one with Default: Configuration:
|
|
Path to the When not set, Default: Configuration:
|
|
When Useful for diagnosing field extraction failures across Note that this can show sensitive information. Use only when absolutely necessary and ensure the sensitive output is not logged. Choices:
|
|
Personal Access Token used for non-interactive authentication. Format is When provided, the plugin runs Default: Configuration:
|
|
Timeout in seconds for each Default: Configuration:
|
|
Name of the Proton Pass vault to query. When omitted, Default: Configuration:
|
Note
Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
lookup('community.general.proton_pass', term1, term2, key1=value1, key2=value2)andquery('community.general.proton_pass', term1, term2, key1=value1, key2=value2)Two non-interactive authentication paths are available.
Agent tokens (recommended for CI/CD) are scoped to specific vaults, carry an expiration date, and produce an encrypted audit log — create one with
pass-cli agent create <NAME> --expiration 1m --vault <VAULT>, then supply the token viapat/ANSIBLE_PROTON_PASS_PATand setagent_reason/ANSIBLE_PROTON_PASS_AGENT_REASONto a short description of why the automation is accessing the vault.Personal Access Tokens PAT grant full account access and should be reserved for interactive or development use — generate one in the Proton Pass web app under Account > Security > Access and authentication > Personal Access Tokens. PAT format is
pst_<token>::<key>.Authenticate once interactively with
pass-cli loginbefore running playbooks when neither an agent token nor a PAT is configured.Set
debug=trueon the lookup call to display the rawpass-cliJSON via Ansible’s warning output — useful for diagnosing field extraction failures acrosspass-cliversions.All Proton Pass item types are supported: Login, Note, Credit Card, Wi-Fi, Identity, SSH Key, Custom, and Alias. Standard fields for each type (for example
username/passwordfor Login,ssid/passwordfor Wi-Fi,private_key/public_keyfor SSH Key) are included in the returned dictionary alongside any custom extra fields.For Login items the
urlsfield is returned as a list of strings.In Proton Pass, create one item per host. Add every secret as an extra hidden field whose name exactly matches the key your playbooks reference (for example
api_token,gpg_keyphrase).Sections (
extra_sections) are supported — fields nested inside a section are merged into the same flat dict as top-level extra fields.
Examples
# Prerequisites — authenticate once on the control machine:
# pass-cli login --pat pst_<token>::<key>
# Or export for non-interactive / CI use:
# export ANSIBLE_PROTON_PASS_PAT='pst_<token>::<key>'
# Or configure ansible.cfg (applies to all lookups in the project):
# [proton_pass_lookup]
# vault = myproject
# --- All-fields mode: returns a dict of all extra fields ---
- name: Load all secrets for the current host
ansible.builtin.set_fact:
host_secrets: "{{ lookup('community.general.proton_pass', inventory_hostname, vault='myproject') }}"
- name: Use a field from the loaded dict
ansible.builtin.debug:
msg: "Token: {{ host_secrets.api_token }}"
# --- Single-field mode: returns a plain string ---
- name: Fetch one field via second positional term
ansible.builtin.debug:
msg: "{{ lookup('community.general.proton_pass', 'my_host', 'api_token', vault='myproject') }}"
- name: Fetch one field via keyword argument
ansible.builtin.debug:
msg: "{{ lookup('community.general.proton_pass', 'my_host', field='api_token', vault='myproject') }}"
# --- Multiple items, same field ---
- name: Fetch gpg_keyphrase from two items
ansible.builtin.debug:
msg: "{{ lookup('community.general.proton_pass', 'host_a', 'host_b', field='gpg_keyphrase', vault='myproject') }}"
# --- Drop-in replacement for ansible-vault secrets ---
# Place in group_vars/all/secrets.yaml (plain YAML, safe to commit):
#
# secrets:
# host_a: "{{ lookup('community.general.proton_pass', 'host_a', vault='myproject') }}"
# host_b: "{{ lookup('community.general.proton_pass', 'host_b', vault='myproject') }}"
#
# Existing role tasks continue to work without modification:
# "{{ secrets[inventory_hostname].some_secret }}"
# --- Vault configured globally in ansible.cfg — no vault= kwarg needed ---
- name: Lookup when ansible.cfg sets [proton_pass_lookup] vault
ansible.builtin.debug:
msg: "{{ lookup('community.general.proton_pass', 'my_host', 'api_token') }}"
# --- Agent token authentication (recommended for CI/CD) ---
# Create the agent first (one-time setup):
# pass-cli agent create ci-runner --expiration 1m --vault myproject
# Then configure ansible.cfg:
# [proton_pass_lookup]
# vault = myproject
# agent_reason = ansible playbook run
# And set the token in the environment (or ansible.cfg):
# export ANSIBLE_PROTON_PASS_PAT='<agent-token>'
- name: Lookup using an agent token
ansible.builtin.debug:
msg: "{{ lookup('community.general.proton_pass', 'my_host', 'api_token',
pat=lookup('env', 'ANSIBLE_PROTON_PASS_PAT'),
agent_reason='nightly deployment pipeline') }}"
Return Value
Key |
Description |
|---|---|
A list with one element per input term. In single-field mode ( In all-fields mode, each element is a flat dictionary mapping standard item-type fields ( Returned: success |