community.general.credstash lookup – retrieve secrets from Credstash on AWS

Note

This lookup plugin is part of the community.general collection (version 9.4.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: community.general.credstash.

Synopsis

Requirements

The below requirements are needed on the local controller node that executes this lookup.

  • credstash (python library)

Terms

Parameter

Comments

Terms

list / elements=string / required

term or list of terms to lookup in the credit store

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.general.credstash', key1=value1, key2=value2, ...) and query('community.general.credstash', key1=value1, key2=value2, ...)

Parameter

Comments

aws_access_key_id

string

AWS access key ID

Configuration:

aws_secret_access_key

string

AWS access key

Configuration:

aws_session_token

string

AWS session token

Configuration:

profile_name

string

AWS profile to use for authentication

Configuration:

region

string

AWS region

table

string

name of the credstash table to query

Default: "credential-store"

version

string

Credstash version

Default: ""

Notes

Note

  • When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: lookup('community.general.credstash', term1, term2, key1=value1, key2=value2) and query('community.general.credstash', term1, term2, key1=value1, key2=value2)

Examples

- name: first use credstash to store your secrets
  ansible.builtin.shell: credstash put my-github-password secure123

- name: "Test credstash lookup plugin -- get my github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"

- name: "Test credstash lookup plugin -- get my other password from us-west-1"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"

- name: "Test credstash lookup plugin -- get the company's github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"

- name: Example play using the 'context' feature
  hosts: localhost
  vars:
    context:
      app: my_app
      environment: production
  tasks:

  - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"

  - name: "Test credstash lookup plugin -- get the password with a context defined here"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"

Return Value

Key

Description

Return value

string

Value(s) stored in Credstash.

Returned: success

Authors

  • Unknown

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.