community.sops.decrypt filter – Decrypt SOPS-encrypted data

Note

This filter plugin is part of the community.sops collection (version 2.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.sops. You need further requirements to be able to use this filter plugin, see Requirements for details.

To use it in a playbook, specify: community.sops.decrypt.

New in community.sops 1.1.0

Synopsis

  • Decrypt SOPS-encrypted data.

  • Allows to decrypt data that has been provided by an arbitrary source.

  • Note that due to Ansible lazy-evaluating expressions, it is better to use ansible.builtin.set_fact to store the result of an evaluation in a fact to avoid recomputing the value every time the expression is used.

Requirements

The below requirements are needed on the local controller node that executes this filter.

Input

This describes the input of the filter, the value before | community.sops.decrypt.

Parameter

Comments

Input

string / required

The data to decrypt.

Keyword parameters

This describes keyword parameters of the filter. These are the values key1=value1, key2=value2 and so on in the following example: input | community.sops.decrypt(key1=value1, key2=value2, ...)

Parameter

Comments

age_key

string

added in community.sops 1.4.0

One or more age private keys that can be used to decrypt encrypted files.

Will be set as the SOPS_AGE_KEY environment variable when calling SOPS.

Requires SOPS 3.7.1+.

age_keyfile

path

added in community.sops 1.4.0

The file containing the age private keys that SOPS can use to decrypt encrypted files.

Will be set as the SOPS_AGE_KEY_FILE environment variable when calling SOPS.

By default, SOPS looks for sops/age/keys.txt inside your user configuration directory.

Requires SOPS 3.7.0+.

aws_access_key_id

string

added in community.sops 1.0.0

The AWS access key ID to use for requests to AWS.

Sets the environment variable AWS_ACCESS_KEY_ID for the SOPS call.

aws_profile

string

added in community.sops 1.0.0

The AWS profile to use for requests to AWS.

This corresponds to the SOPS --aws-profile option.

aws_secret_access_key

string

added in community.sops 1.0.0

The AWS secret access key to use for requests to AWS.

Sets the environment variable AWS_SECRET_ACCESS_KEY for the SOPS call.

aws_session_token

string

added in community.sops 1.0.0

The AWS session token to use for requests to AWS.

Sets the environment variable AWS_SESSION_TOKEN for the SOPS call.

config_path

path

added in community.sops 1.0.0

Path to the SOPS configuration file.

If not set, SOPS will recursively search for the config file starting at the file that is encrypted or decrypted.

This corresponds to the SOPS --config option.

decode_output

boolean

Whether to decode the output to bytes.

When output_type=binary, and the file isn’t known to contain UTF-8 encoded text, this should better be set to false to prevent mangling the data with UTF-8 decoding.

Choices:

  • false

  • true ← (default)

enable_local_keyservice

boolean

added in community.sops 1.0.0

Tell SOPS to use local key service.

This corresponds to the SOPS --enable-local-keyservice option.

Choices:

  • false ← (default)

  • true

input_type

string

Tell SOPS how to interpret the encrypted data.

There is no auto-detection since we do not have a filename. By default SOPS is told to treat the input as YAML. If that is wrong, please set this option to the correct value.

The value ini is available since community.sops 1.9.0.

Choices:

  • "binary"

  • "json"

  • "yaml" ← (default)

  • "dotenv"

  • "ini"

keyservice

list / elements=string

added in community.sops 1.0.0

Specify key services to use next to the local one.

A key service must be specified in the form protocol://address, for example tcp://myserver.com:5000.

This corresponds to the SOPS --keyservice option.

output_type

string

Tell SOPS how to interpret the decrypted file.

Please note that the output is always text or bytes, depending on the value of decode_output. To parse the resulting JSON or YAML, use corresponding filters such as ansible.builtin.from_json and ansible.builtin.from_yaml.

The value ini is available since community.sops 1.9.0.

Choices:

  • "binary"

  • "json"

  • "yaml" ← (default)

  • "dotenv"

  • "ini"

rstrip

boolean

Whether to remove trailing newlines and spaces.

Choices:

  • false

  • true ← (default)

sops_binary

path

added in community.sops 1.0.0

Path to the SOPS binary.

By default uses sops.

See Also

See also

community.sops.sops lookup plugin

Read SOPS-encrypted file contents.

community.sops.sops vars plugin

Loading SOPS-encrypted vars files.

community.sops.load_vars

Load SOPS-encrypted variables from files, dynamically within a task.

Examples

- name: Decrypt file fetched from URL
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Fetch file from URL
      ansible.builtin.uri:
        url: https://raw.githubusercontent.com/getsops/sops/master/functional-tests/res/comments.enc.yaml
        return_content: true
      register: encrypted_content

    - name: Show encrypted data
      debug:
        msg: "{{ encrypted_content.content | ansible.builtin.from_yaml }}"

    - name: Decrypt data and decode decrypted YAML
      set_fact:
        decrypted_data: "{{ encrypted_content.content | community.sops.decrypt | ansible.builtin.from_yaml }}"

    - name: Show decrypted data
      debug:
        msg: "{{ decrypted_data }}"

Return Value

Key

Description

Return value

string

Decrypted data as text (decode_output=true, default) or binary string (decode_output=false).

Returned: success

Authors

  • Felix Fontein (@felixfontein)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.