community.sops.sops vars – Loading SOPS-encrypted vars files
Note
This vars plugin is part of the community.sops collection (version 1.8.2).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.sops
.
You need further requirements to be able to use this vars plugin,
see Requirements for details.
To use it in a playbook, specify: community.sops.sops
.
New in community.sops 0.1.0
Synopsis
Load encrypted YAML files into corresponding groups/hosts in
group_vars/
andhost_vars/
directories.Files are encrypted prior to reading, making this plugin an effective companion to ansible.builtin.host_group_vars plugin.
Files are restricted to
.sops.yaml
,.sops.yml
,.sops.json
extensions, unless configured otherwise withvalid_extensions
.Hidden files are ignored.
Requirements
The below requirements are needed on the local controller node that executes this vars.
A binary executable
sops
(https://github.com/getsops/sops) must exist either inPATH
or configured assops_binary
.
Parameters
Parameter |
Comments |
---|---|
One or more age private keys that can be used to decrypt encrypted files. Will be set as the Configuration:
|
|
The file containing the age private keys that SOPS can use to decrypt encrypted files. Will be set as the By default, SOPS looks for Configuration:
|
|
The AWS access key ID to use for requests to AWS. Sets the environment variable Configuration:
|
|
The AWS profile to use for requests to AWS. This corresponds to the SOPS Configuration:
|
|
The AWS secret access key to use for requests to AWS. Sets the environment variable Configuration:
|
|
The AWS session token to use for requests to AWS. Sets the environment variable Configuration:
|
|
Whether to cache decrypted files or not. If the cache is disabled, the files will be decrypted for almost every task. This is very slow! Only disable caching if you modify the variable files during a playbook run and want the updated result to be available from the next task on. Note that setting Choices:
Configuration:
|
|
Path to the SOPS configuration file. If not set, SOPS will recursively search for the config file starting at the file that is encrypted or decrypted. This corresponds to the SOPS Configuration:
|
|
Temporarily disable this plugin. Useful if ansible-inventory is supposed to be run without decrypting secrets (in AWX for instance). Choices:
Configuration:
|
|
Tell SOPS to use local key service. This corresponds to the SOPS Choices:
Configuration:
|
|
How to handle files that match the extensions in The default value The value The value Note that this will not help if the store SOPS uses cannot parse the file, for example because it is no valid JSON/YAML/… file despite its file extension. For extensions other than the default ones SOPS uses the binary store, which tries to parse the file as JSON. Choices:
Configuration:
|
|
Specify key services to use next to the local one. A key service must be specified in the form This corresponds to the SOPS Configuration:
|
|
Path to the SOPS binary. By default uses Configuration:
|
|
Control when this vars plugin may be executed. Setting this option to Setting this option to Setting this option to If this option is omitted, the global Choices:
Configuration:
|
|
Check all of these extensions when looking for ‘variable’ files. These files must be SOPS encrypted YAML or JSON files. By default the plugin will produce errors when encountering files matching these extensions that are not SOPS encrypted. This behavior can be controlled with the Default: Configuration:
|
See Also
See also
- community.sops.sops lookup plugin
The sops lookup can be used decrypt SOPS-encrypted files.
- community.sops.decrypt filter plugin
The decrypt filter can be used to decrypt SOPS-encrypted in-memory data.
- community.sops.load_vars
Load SOPS-encrypted variables from files, dynamically within a task.