Docs4dev
Docs
ansible / latest / collections / community / sops / sops_lookup.html

community.sops.sops – Read sops encrypted file contents

Note

This plugin is part of the community.sops collection (version 1.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.sops.

To use it in a playbook, specify: community.sops.sops.

New in version 0.1.0: of community.sops

Synopsis

  • This lookup returns the contents from a file on the Ansible controller’s file system.
  • This lookup requires the sops executable to be available in the controller PATH.

Parameters

Parameter Choices/Defaults Configuration Comments
_terms
string / required
Path(s) of files to read.
aws_access_key_id
string
added in 1.0.0 of community.sops
var: sops_aws_access_key_id
The AWS access key ID to use for requests to AWS.
Sets the environment variable AWS_ACCESS_KEY_ID for the sops call.
aws_profile
string
added in 1.0.0 of community.sops
var: sops_aws_profile
The AWS profile to use for requests to AWS.
This corresponds to the sops --aws-profile option.
aws_secret_access_key
string
added in 1.0.0 of community.sops
var: sops_aws_secret_access_key
The AWS secret access key to use for requests to AWS.
Sets the environment variable AWS_SECRET_ACCESS_KEY for the sops call.
aws_session_token
string
added in 1.0.0 of community.sops
var: sops_session_token
The AWS session token to use for requests to AWS.
Sets the environment variable AWS_SESSION_TOKEN for the sops call.
base64
boolean
    Choices:
  • no
  • yes
Base64-encodes the parsed result.
Use this if you want to store binary data in Ansible variables.
config_path
path
added in 1.0.0 of community.sops
var: sops_config_path
Path to the sops configuration file.
If not set, sops will recursively search for the config file starting at the file that is encrypted or decrypted.
This corresponds to the sops --config option.
empty_on_not_exist
boolean
    Choices:
  • no
  • yes
When set to true, will not raise an error when a file cannot be found, but return an empty string instead.
enable_local_keyservice
boolean
added in 1.0.0 of community.sops
    Choices:
  • no
  • yes
var: sops_enable_local_keyservice
Tell sops to use local key service.
This corresponds to the sops --enable-local-keyservice option.
input_type
string
    Choices:
  • binary
  • json
  • yaml
  • dotenv
Tell sops how to interpret the encrypted file.
By default, sops will chose the input type from the file extension. If it detects the wrong type for a file, this could result in decryption failing.
keyservice
list / elements=string
added in 1.0.0 of community.sops
var: sops_keyservice
Specify key services to use next to the local one.
A key service must be specified in the form protocol://address, for example tcp://myserver.com:5000.
This corresponds to the sops --keyservice option.
output_type
string
    Choices:
  • binary
  • json
  • yaml
  • dotenv
Tell sops how to interpret the decrypted file.
By default, sops will chose the output type from the file extension. If it detects the wrong type for a file, this could result in decryption failing.
rstrip
boolean
    Choices:
  • no
  • yes
Whether to remove trailing newlines and spaces.
sops_binary
path
added in 1.0.0 of community.sops
var: sops_binary
Path to the sops binary.
By default uses sops.

Notes

Note

  • This lookup does not understand ‘globbing’ - use the fileglob lookup instead.

Examples

- name: Output secrets to screen (BAD IDEA!)
  ansible.builtin.debug:
    msg: "Content: {{ lookup('community.sops.sops', item) }}"
  loop:
    - sops-encrypted-file.enc.yaml

- name: Add SSH private key
  ansible.builtin.copy:
    # Note that rstrip=false is necessary for some SSH versions to be able to use the key
    content: "{{ lookup('community.sops.sops', user + '-id_rsa', rstrip=false) }}"
    dest: /home/{{ user }}/.ssh/id_rsa
    owner: "{{ user }}"
    group: "{{ user }}"
    mode: 0600
  no_log: true  # avoid content to be written to log

- name: The file file.json is a YAML file, which contains the encryption of binary data
  ansible.builtin.debug:
    msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key Returned Description
_raw
list / elements=string
success
Decrypted file content.



Authors

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/sops/sops_lookup.html