W3cubDocs

/Ansible

community.general.credstash lookup – retrieve secrets from Credstash on AWS

Note

This lookup plugin is part of the community.general collection (version 10.7.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: community.general.credstash.

Synopsis
Requirements
Terms
Keyword parameters
Notes
Examples
Return Value

Synopsis

Credstash is a small utility for managing secrets using AWS’s KMS and DynamoDB: https://github.com/fugue/credstash.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

credstash (python library)

Terms

Parameter	Comments
Terms list / elements=string / required	Term or list of terms to lookup in the credit store.

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.general.credstash', key1=value1, key2=value2, ...) and query('community.general.credstash', key1=value1, key2=value2, ...)

Parameter	Comments
aws_access_key_id string	AWS access key ID. Configuration: Environment variable: `AWS_ACCESS_KEY_ID`
aws_secret_access_key string	AWS access key. Configuration: Environment variable: `AWS_SECRET_ACCESS_KEY`
aws_session_token string	AWS session token. Configuration: Environment variable: `AWS_SESSION_TOKEN`
profile_name string	AWS profile to use for authentication. Configuration: Environment variable: `AWS_PROFILE`
region string	AWS region.
table string	Name of the credstash table to query. Default: `"credential-store"`
version string	Credstash version. Default: `""`

Notes

Note

When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: lookup('community.general.credstash', term1, term2, key1=value1, key2=value2) and query('community.general.credstash', term1, term2, key1=value1, key2=value2)

Examples

- name: first use credstash to store your secrets
  ansible.builtin.shell: credstash put my-github-password secure123

- name: "Test credstash lookup plugin -- get my github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"

- name: "Test credstash lookup plugin -- get my other password from us-west-1"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"

- name: "Test credstash lookup plugin -- get the company's github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"

- name: Example play using the 'context' feature
  hosts: localhost
  vars:
    context:
      app: my_app
      environment: production
  tasks:

    - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
      ansible.builtin.debug:
        msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"

    - name: "Test credstash lookup plugin -- get the password with a context defined here"
      ansible.builtin.debug:
        msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"

Return Value

Key	Description
Return value string	Value(s) stored in Credstash. Returned: success

Authors

Unknown

Collection links

© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/credstash_lookup.html