community.sops.load_vars – Load sops-encrypted variables from files, dynamically within a task
Note
This plugin is part of the community.sops collection (version 1.1.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.sops.
To use it in a playbook, specify: community.sops.load_vars.
New in version 0.1.0: of community.sops
Synopsis
- Loads sops-encrypted YAML/JSON variables dynamically from a file during task runtime.
- To assign included variables to a different host than
inventory_hostname, usedelegate_toand setdelegate_facts=yes.
Note
This module has a corresponding action plugin.
Parameters
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| aws_access_key_id
string
added in 1.0.0 of community.sops
|
The AWS access key ID to use for requests to AWS.
Sets the environment variable AWS_ACCESS_KEY_ID for the sops call.
|
|
| aws_profile
string
added in 1.0.0 of community.sops
|
The AWS profile to use for requests to AWS.
This corresponds to the sops --aws-profile option.
|
|
| aws_secret_access_key
string
added in 1.0.0 of community.sops
|
The AWS secret access key to use for requests to AWS.
Sets the environment variable AWS_SECRET_ACCESS_KEY for the sops call.
|
|
| aws_session_token
string
added in 1.0.0 of community.sops
|
The AWS session token to use for requests to AWS.
Sets the environment variable AWS_SESSION_TOKEN for the sops call.
|
|
| config_path
path
added in 1.0.0 of community.sops
|
Path to the sops configuration file.
If not set, sops will recursively search for the config file starting at the file that is encrypted or decrypted.
This corresponds to the sops --config option.
|
|
| enable_local_keyservice
boolean
added in 1.0.0 of community.sops
|
|
Tell sops to use local key service.
This corresponds to the sops --enable-local-keyservice option.
|
| expressions
string
|
|
This option controls how Jinja2 expressions in values in the loaded file are handled.
If set to
ignore, expressions will not be evaluated, but treated as regular strings.
If set to
evaluate-on-load, expressions will be evaluated on execution of this module, in other words, when the file is loaded.
Unfortunately, there is no way for non-core modules to handle expressions "unsafe", in other words, evaluate them only on use. This can only achieved by ansible.builtin.include_vars, which unfortunately cannot handle sops-encrypted files.
|
| file
path
|
The file name from which variables should be loaded.
If the path is relative, it will look for the file in vars/ subdirectory of a role or relative to playbook.
|
|
| keyservice
list / elements=string
added in 1.0.0 of community.sops
|
Specify key services to use next to the local one.
A key service must be specified in the form
protocol://address, for example tcp://myserver.com:5000.
This corresponds to the sops --keyservice option.
|
|
| name
string
|
The name of a variable into which assign the included vars.
If omitted ( null) they will be made top level vars.
|
|
| sops_binary
path
added in 1.0.0 of community.sops
|
Path to the sops binary.
By default uses sops.
|
See Also
See also
- ansible.builtin.set_fact
-
The official documentation on the ansible.builtin.set_fact module.
- ansible.builtin.include_vars
-
The official documentation on the ansible.builtin.include_vars module.
- Controlling where tasks run: delegation and local actions
-
More information related to task delegation.
Examples
- name: Include variables of stuff.sops.yaml into the 'stuff' variable
community.sops.load_vars:
file: stuff.sops.yaml
name: stuff
expressions: evaluate-on-load # interpret Jinja2 expressions in stuf.sops.yaml on load-time!
- name: Conditionally decide to load in variables into 'plans' when x is 0, otherwise do not
community.sops.load_vars:
file: contingency_plan.sops.yaml
name: plans
expressions: ignore # do not interpret possible Jinja2 expressions
when: x == 0
- name: Load variables into the global namespace
community.sops.load_vars:
file: contingency_plan.sops.yaml
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| ansible_included_var_files
list / elements=string
|
success |
A list of files that were successfully included
Sample:
['/path/to/file.sops.yaml']
|
Authors
- Felix Fontein (@felixfontein)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/sops/load_vars_module.html