Merge pull request #11778 from Ensighten/add_credstash_plugin
add credstash lookup plugin
This commit is contained in:
commit
3c57018a10
2 changed files with 87 additions and 0 deletions
|
@ -140,6 +140,42 @@ default empty string return value if the key is not in the csv file
|
|||
.. note:: The default delimiter is TAB, *not* comma.
|
||||
|
||||
|
||||
.. _credstash_lookup:
|
||||
|
||||
The Credstash Lookup
|
||||
````````````````````
|
||||
|
||||
Credstash is a small utility for managing secrets using AWS's KMS and DynamoDB: https://github.com/LuminalOSS/credstash
|
||||
|
||||
First, you need to store your secrets with credstash::
|
||||
|
||||
|
||||
$ credstash put my-github-password secure123
|
||||
|
||||
my-github-password has been stored
|
||||
|
||||
|
||||
Example usage::
|
||||
|
||||
|
||||
---
|
||||
- name: "Test credstash lookup plugin -- get my github password"
|
||||
debug: msg="Credstash lookup! {{ lookup('credstash', 'my-github-password') }}"
|
||||
|
||||
|
||||
You can specify regions or tables to fetch secrets from::
|
||||
|
||||
|
||||
---
|
||||
- name: "Test credstash lookup plugin -- get my other password from us-west-1"
|
||||
debug: msg="Credstash lookup! {{ lookup('credstash', 'my-other-password', region='us-west-1') }}"
|
||||
|
||||
|
||||
- name: "Test credstash lookup plugin -- get the company's github password"
|
||||
debug: msg="Credstash lookup! {{ lookup('credstash', 'company-github-password', table='company-passwords') }}"
|
||||
|
||||
|
||||
|
||||
.. _more_lookups:
|
||||
|
||||
More Lookups
|
||||
|
|
51
lib/ansible/plugins/lookup/credstash.py
Normal file
51
lib/ansible/plugins/lookup/credstash.py
Normal file
|
@ -0,0 +1,51 @@
|
|||
# (c) 2015, Ensighten <infra@ensighten.com>
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
from __future__ import (absolute_import, division, print_function)
|
||||
__metaclass__ = type
|
||||
|
||||
from ansible.errors import AnsibleError
|
||||
from ansible.plugins.lookup import LookupBase
|
||||
|
||||
CREDSTASH_INSTALLED = False
|
||||
|
||||
try:
|
||||
import credstash
|
||||
CREDSTASH_INSTALLED = True
|
||||
except ImportError:
|
||||
CREDSTASH_INSTALLED = False
|
||||
|
||||
|
||||
class LookupModule(LookupBase):
|
||||
def run(self, terms, variables, **kwargs):
|
||||
|
||||
if not CREDSTASH_INSTALLED:
|
||||
raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')
|
||||
|
||||
if isinstance(terms, basestring):
|
||||
terms = [terms]
|
||||
|
||||
ret = []
|
||||
for term in terms:
|
||||
try:
|
||||
val = credstash.getSecret(term, **kwargs)
|
||||
except credstash.ItemNotFound:
|
||||
raise AnsibleError('Key {0} not found'.format(term))
|
||||
except Exception, e:
|
||||
raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e.message))
|
||||
ret.append(val)
|
||||
|
||||
return ret
|
Loading…
Reference in a new issue