Questions regarding the ansible sops collection

Archives Ansible Project
1

Hello,

I am relatively new to ansible and I want to use the sops collection to
decrypt some sensible data for our ansible playbooks / roles that we want to
store in a git repo. Unfortunatly things are not working as expected, which
might be because I do not understand all things corect. I'd would be great
if you can help me things sort out...

For test reasons and to understand how to work with sops and ansible I did
the following:

1. I've created a file
inventories/test/group_vars/ansible_become_password.sops.yml with the
following decrypted content:

2

Hi,

I am relatively new to ansible and I want to use the sops collection
to decrypt some sensible data for our ansible playbooks / roles that
we want to store in a git repo. Unfortunatly things are not working
as expected, which might be because I do not understand all things
corect. I'd would be great if you can help me things sort out...

For test reasons and to understand how to work with sops and ansible
I did the following:

1. I've created a file
inventories/test/group_vars/ansible_become_password.sops.yml with the
following decrypted content:
[...]
This looks good to me...

3. Now I've created this little playbook to test decryption:

-----
---
- name: Create sops-encrypted private key
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Load encrypted credentials
      community.sops.load_vars:
        file:
/home/cs/git/linova/linova-gitops/ansible/inventories/test/group_vars/ansible_become_password.sops.yml
expressions: evaluate-on-load

    - name: Show password
      debug:
        msg: "The password is {{ ansible_become_password }}"
-----

4. Wehn I run the playbook I get the following output:

[WARNING]: Removed restricted key from module data:
ansible_become_password = ansible

This is the relevant warning. Ansible-core apparently does not allow
modules or action plugins to return certain values, in particular
ansible_become_password. Since you are asking the
community.sops.load_vars action to decrypt a file containing that
value, and ansible-core throws that value away, you cannot use it later
on.

(This is in part because community.sops.load_vars is kind of a hack.
Proper variable loading is not possible for actions that are not part
of ansible-core itself.)

1. Am I going into the right direction and are my steps OK in
general, or do I follow a wrong way to handle our encrypted data with
the plugin?

Instead of using community.sops.load_vars, you should use the
community.sops.sops vars plugin. That allows to load group and host
vars that are sops encrypted. To use this, you need to activate the
vars plugin as shown here:
https://github.com/ansible-collections/community.sops#vars-plugin

I think your inventory file is named correctly so that simply enabling
the community.sops.sops vars plugin should suffice in your case. With
it, simply this should already work: