Note
This lookup plugin is part of the community.sops collection (version 2.2.1).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.sops. You need further requirements to be able to use this lookup plugin, see Requirements for details.
To use it in a playbook, specify: community.sops.sops.
New in community.sops 0.1.0
sops executable to be available in the controller PATH.The below requirements are needed on the local controller node that executes this lookup.
sops (https://github.com/getsops/sops) must exist either in PATH or configured as sops_binary.Parameter | Comments |
|---|---|
Terms list / elements=string / required | Path(s) of files to read. |
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.sops.sops', key1=value1, key2=value2, ...) and query('community.sops.sops', key1=value1, key2=value2, ...)
Parameter | Comments |
|---|---|
age_key string added in community.sops 1.4.0 | One or more age private keys that can be used to decrypt encrypted files. Will be set as the Requires SOPS 3.7.1+. Configuration:
|
age_keyfile path added in community.sops 1.4.0 | The file containing the age private keys that SOPS can use to decrypt encrypted files. Will be set as the By default, SOPS looks for Requires SOPS 3.7.0+. Configuration:
|
age_ssh_private_keyfile path added in community.sops 1.4.0 | The file containing the SSH private key that SOPS can use to decrypt encrypted files. Will be set as the By default, SOPS looks for Requires SOPS 3.10.0+. Configuration:
|
aws_access_key_id string added in community.sops 1.0.0 | The AWS access key ID to use for requests to AWS. Sets the environment variable Configuration:
|
aws_profile string added in community.sops 1.0.0 | The AWS profile to use for requests to AWS. This corresponds to the SOPS Configuration:
|
aws_secret_access_key string added in community.sops 1.0.0 | The AWS secret access key to use for requests to AWS. Sets the environment variable Configuration:
|
aws_session_token string added in community.sops 1.0.0 | The AWS session token to use for requests to AWS. Sets the environment variable Configuration:
|
base64 boolean | Base64-encodes the parsed result. Use this if you want to store binary data in Ansible variables. Choices:
|
config_path path added in community.sops 1.0.0 | Path to the SOPS configuration file. If not set, SOPS will recursively search for the config file starting at the file that is encrypted or decrypted. This corresponds to the SOPS Configuration:
|
empty_on_not_exist boolean | When set to Choices:
|
enable_local_keyservice boolean added in community.sops 1.0.0 | Tell SOPS to use local key service. This corresponds to the SOPS Choices:
Configuration:
|
extract string added in community.sops 1.9.0 | Tell SOPS to extract a specific key from a JSON or YAML file. Expects a string with the same ‘querystring’ syntax as SOPS’ Note: Escape quotes appropriately. |
input_type string | Tell SOPS how to interpret the encrypted file. By default, SOPS will chose the input type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. The value Choices:
|
keyservice list / elements=string added in community.sops 1.0.0 | Specify key services to use next to the local one. A key service must be specified in the form This corresponds to the SOPS Configuration:
|
output_type string | Tell SOPS how to interpret the decrypted file. By default, SOPS will chose the output type from the file extension. If it detects the wrong type for a file, this could result in decryption failing. The value Choices:
|
rstrip boolean | Whether to remove trailing newlines and spaces. Choices:
|
sops_binary path added in community.sops 1.0.0 | Path to the SOPS binary. By default uses Configuration:
|
Note
Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).
Note
lookup('community.sops.sops', term1, term2, key1=value1, key2=value2) and query('community.sops.sops', term1, term2, key1=value1, key2=value2)
See also
The decrypt filter can be used to descrypt SOPS-encrypted in-memory data.
The sops vars plugin can be used to load SOPS-encrypted host or group variables.
Load SOPS-encrypted variables from files, dynamically within a task.
---
- name: Output secrets to screen (BAD IDEA!)
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', item) }}"
loop:
- sops-encrypted-file.enc.yaml
- name: Add SSH private key
ansible.builtin.copy:
# Note that rstrip=false is necessary for some SSH versions to be able to use the key
content: "{{ lookup('community.sops.sops', user + '-id_rsa', rstrip=false) }}"
dest: /home/{{ user }}/.ssh/id_rsa
owner: "{{ user }}"
group: "{{ user }}"
mode: "0600"
no_log: true # avoid content to be written to log
- name: The file file.json is a YAML file, which contains the encryption of binary data
ansible.builtin.debug:
msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"
Key | Description |
|---|---|
Return value list / elements=string | Decrypted file content. Returned: success |
© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/sops/sops_lookup.html