Accessing encrypted configuration values with a plugin

Hello Everybody,

I want to create a callback plugin that emits log messages to an API. That API is secured by some Authorization Header. In Order to securely store the required API Key, I have put it into an encrypted file. The encryption was done using ansible-vault encrypt ./secrets/log-api.yml.

To have an easy workflow I have added this to ansible.cfg:

[defaults]
…
vault_password_file = ./pwd.sh
…

The question is: How can I access the plain text data of ./secrets/log-api.yml within the plugin?

Ideally that could be done within ansible.cfg like so:

my_login_plugin_api_key = "{{ lookup( … ) }}"

But from what I have heard so far, that is not possible, since there is simply no way to have decryption in that place, isn’t it?

So the question is, how should the decryption happen in the plugin? IMHO that involves those steps:

  1. access the value of vault_password_file - in best case the result of the the script - within the plugin
  2. How to decrypt? Is there any Class / Object / Function for that?

My main Problem is that I am a bloody rookie on that topic and I cannot find any documentation.

THANKS for Help and Directions!

plugin configuration does not support individual vaults or templating (yet), till then i recommend using an environment variable.
https://github.com/ansible/ansible/pull/79244

Many inventory plugins template specific inputs if they look like a template to allow using lookups etc., see for example community.general/plugins/inventory/linode.py at ccf7f62325d17d794a184ad2ab18e0ca3655b87b · ansible-collections/community.general · GitHub

1 Like

Thanks for clarification!

Does this mean that this is on the Roadmap? Is it already known when this should be there?

Thanks a lot for this hint! As I take from that suggestion, the plugin itself is running the code needed to lookup the value, isn’t it? I there anywhere another example that would should the code for decryption using the vault?

Not on roadmap, just on my personal list.

To implement for specific fields in a plugin, just template (templating decrypts)