community.general/plugins/lookup/credstash.py

# -*- coding: utf-8 -*-
# Copyright (c) 2015, Ensighten <infra@ensighten.com>
# Copyright (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

DOCUMENTATION = '''
    author: Unknown (!UNKNOWN)
    name: credstash
    short_description: retrieve secrets from Credstash on AWS
    requirements:
      - credstash (python library)
    description:
      - "Credstash is a small utility for managing secrets using AWS's KMS and DynamoDB: https://github.com/fugue/credstash"
    options:
      _terms:
        description: term or list of terms to lookup in the credit store
        type: list
        elements: string
        required: true
      table:
        description: name of the credstash table to query
        type: str
        default: 'credential-store'
      version:
        description: Credstash version
        type: str
        default: ''
      region:
        description: AWS region
        type: str
      profile_name:
        description: AWS profile to use for authentication
        type: str
        env:
          - name: AWS_PROFILE
      aws_access_key_id:
        description: AWS access key ID
        type: str
        env:
          - name: AWS_ACCESS_KEY_ID
      aws_secret_access_key:
        description: AWS access key
        type: str
        env:
          - name: AWS_SECRET_ACCESS_KEY
      aws_session_token:
        description: AWS session token
        type: str
        env:
          - name: AWS_SESSION_TOKEN
'''

EXAMPLES = """
- name: first use credstash to store your secrets
  ansible.builtin.shell: credstash put my-github-password secure123

- name: "Test credstash lookup plugin -- get my github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"

- name: "Test credstash lookup plugin -- get my other password from us-west-1"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"

- name: "Test credstash lookup plugin -- get the company's github password"
  ansible.builtin.debug:
    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"

- name: Example play using the 'context' feature
  hosts: localhost
  vars:
    context:
      app: my_app
      environment: production
  tasks:

  - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"

  - name: "Test credstash lookup plugin -- get the password with a context defined here"
    ansible.builtin.debug:
      msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"
"""

RETURN = """
  _raw:
    description:
      - Value(s) stored in Credstash.
    type: str
"""

import os

from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase

CREDSTASH_INSTALLED = False

try:
    import credstash
    CREDSTASH_INSTALLED = True
except ImportError:
    CREDSTASH_INSTALLED = False


class LookupModule(LookupBase):
    def run(self, terms, variables=None, **kwargs):
        if not CREDSTASH_INSTALLED:
            raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')

        self.set_options(var_options=variables, direct=kwargs)

        version = self.get_option('version')
        region = self.get_option('region')
        table = self.get_option('table')
        profile_name = self.get_option('profile_name')
        aws_access_key_id = self.get_option('aws_access_key_id')
        aws_secret_access_key = self.get_option('aws_secret_access_key')
        aws_session_token = self.get_option('aws_session_token')

        context = dict(
            (k, v) for k, v in kwargs.items()
            if k not in ('version', 'region', 'table', 'profile_name', 'aws_access_key_id', 'aws_secret_access_key', 'aws_session_token')
        )

        kwargs_pass = {
            'profile_name': profile_name,
            'aws_access_key_id': aws_access_key_id,
            'aws_secret_access_key': aws_secret_access_key,
            'aws_session_token': aws_session_token,
        }

        ret = []
        for term in terms:
            try:
                ret.append(credstash.getSecret(term, version, region, table, context=context, **kwargs_pass))
            except credstash.ItemNotFound:
                raise AnsibleError('Key {0} not found'.format(term))
            except Exception as e:
                raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e))

        return ret
fixed the utf-8 marker (#3162) 2021-08-07 15:02:21 +02:00			`# -- coding: utf-8 --`
Fix copyright lines (make sure 'Copyright' is there). (#5083) 2022-08-05 22:12:10 +02:00			`# Copyright (c) 2015, Ensighten <infra@ensighten.com>`
			`# Copyright (c) 2017 Ansible Project`
Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt (#5065) * Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt. * Replace 'Copyright:' with 'Copyright' sed -i 's\|Copyright:\(.*\)\|Copyright\1\|' $(rg -l 'Copyright:') Co-authored-by: Maxwell G <gotmax@e.email> 2022-08-05 12:28:29 +02:00			`# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)`
			`# SPDX-License-Identifier: GPL-3.0-or-later`
Initial commit 2020-03-09 10:11:07 +01:00			`from __future__ import (absolute_import, division, print_function)`
			`__metaclass__ = type`

			`DOCUMENTATION = '''`
Improve plugin sanity (#966) * callback_type -> type. * Mark authors as unknown. * Add author field forgotten in #627. * Fix author entries. * Add author field forgotten in #127. * Fix some types. 2020-09-28 21:21:51 +02:00			`author: Unknown (!UNKNOWN)`
<plugin_type>: -> name: (#1541) 2021-01-12 07:12:03 +01:00			`name: credstash`
Initial commit 2020-03-09 10:11:07 +01:00			`short_description: retrieve secrets from Credstash on AWS`
			`requirements:`
			`- credstash (python library)`
			`description:`
			`- "Credstash is a small utility for managing secrets using AWS's KMS and DynamoDB: https://github.com/fugue/credstash"`
			`options:`
			`_terms:`
			`description: term or list of terms to lookup in the credit store`
			`type: list`
Fix sanity issues. (#4346) 2022-03-14 20:56:27 +01:00			`elements: string`
			`required: true`
Initial commit 2020-03-09 10:11:07 +01:00			`table:`
			`description: name of the credstash table to query`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`type: str`
Initial commit 2020-03-09 10:11:07 +01:00			`default: 'credential-store'`
			`version:`
			`description: Credstash version`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`type: str`
			`default: ''`
Initial commit 2020-03-09 10:11:07 +01:00			`region:`
			`description: AWS region`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`type: str`
Initial commit 2020-03-09 10:11:07 +01:00			`profile_name:`
			`description: AWS profile to use for authentication`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`type: str`
Initial commit 2020-03-09 10:11:07 +01:00			`env:`
			`- name: AWS_PROFILE`
			`aws_access_key_id:`
			`description: AWS access key ID`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`type: str`
Initial commit 2020-03-09 10:11:07 +01:00			`env:`
			`- name: AWS_ACCESS_KEY_ID`
			`aws_secret_access_key:`
			`description: AWS access key`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`type: str`
Initial commit 2020-03-09 10:11:07 +01:00			`env:`
			`- name: AWS_SECRET_ACCESS_KEY`
			`aws_session_token:`
			`description: AWS session token`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`type: str`
Initial commit 2020-03-09 10:11:07 +01:00			`env:`
			`- name: AWS_SESSION_TOKEN`
			`'''`

			`EXAMPLES = """`
			`- name: first use credstash to store your secrets`
modules: fix examples to use FQCN for builtin modules (#648) * modules: fix examples to use FQCN for builtin modules * fix * fix * fix * fix * fix * fix * fix 2020-07-14 17:28:08 +02:00			`ansible.builtin.shell: credstash put my-github-password secure123`
Initial commit 2020-03-09 10:11:07 +01:00
			`- name: "Test credstash lookup plugin -- get my github password"`
Fix plugins (names, constants, FQCNs in examples) (#722) * cobbler inventory: fix NAME * oc transport: fix transport name * Inventory plugins: fix plugin identifications * Use FQCN in lookup plugin examples. * Use FQCN in callback plugins. * Add changelog fragment. * Adjust documentation. * Fix lookup plugin linting errors. * Fix quotes. 2020-08-08 22:04:34 +02:00			`ansible.builtin.debug:`
			`msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"`
Initial commit 2020-03-09 10:11:07 +01:00
			`- name: "Test credstash lookup plugin -- get my other password from us-west-1"`
Fix plugins (names, constants, FQCNs in examples) (#722) * cobbler inventory: fix NAME * oc transport: fix transport name * Inventory plugins: fix plugin identifications * Use FQCN in lookup plugin examples. * Use FQCN in callback plugins. * Add changelog fragment. * Adjust documentation. * Fix lookup plugin linting errors. * Fix quotes. 2020-08-08 22:04:34 +02:00			`ansible.builtin.debug:`
			`msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"`
Initial commit 2020-03-09 10:11:07 +01:00
			`- name: "Test credstash lookup plugin -- get the company's github password"`
Fix plugins (names, constants, FQCNs in examples) (#722) * cobbler inventory: fix NAME * oc transport: fix transport name * Inventory plugins: fix plugin identifications * Use FQCN in lookup plugin examples. * Use FQCN in callback plugins. * Add changelog fragment. * Adjust documentation. * Fix lookup plugin linting errors. * Fix quotes. 2020-08-08 22:04:34 +02:00			`ansible.builtin.debug:`
			`msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"`
Initial commit 2020-03-09 10:11:07 +01:00
			`- name: Example play using the 'context' feature`
			`hosts: localhost`
			`vars:`
			`context:`
			`app: my_app`
			`environment: production`
			`tasks:`

			`- name: "Test credstash lookup plugin -- get the password with a context passed as a variable"`
Fix plugins (names, constants, FQCNs in examples) (#722) * cobbler inventory: fix NAME * oc transport: fix transport name * Inventory plugins: fix plugin identifications * Use FQCN in lookup plugin examples. * Use FQCN in callback plugins. * Add changelog fragment. * Adjust documentation. * Fix lookup plugin linting errors. * Fix quotes. 2020-08-08 22:04:34 +02:00			`ansible.builtin.debug:`
			`msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"`
Initial commit 2020-03-09 10:11:07 +01:00
			`- name: "Test credstash lookup plugin -- get the password with a context defined here"`
Fix plugins (names, constants, FQCNs in examples) (#722) * cobbler inventory: fix NAME * oc transport: fix transport name * Inventory plugins: fix plugin identifications * Use FQCN in lookup plugin examples. * Use FQCN in callback plugins. * Add changelog fragment. * Adjust documentation. * Fix lookup plugin linting errors. * Fix quotes. 2020-08-08 22:04:34 +02:00			`ansible.builtin.debug:`
			`msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"`
Initial commit 2020-03-09 10:11:07 +01:00			`"""`

			`RETURN = """`
			`_raw:`
			`description:`
Fix various sanity errors in plugins (#881) * Fix deprecation of callables. * Fix various sanity errors. * Revert callback_type -> type transform. * Fix stat_result times: these are float according to https://github.com/python/typeshed/blob/master/stdlib/3/os/__init__.pyi * Apply suggestions from code review Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> 2020-09-16 11:06:45 +02:00			`- Value(s) stored in Credstash.`
			`type: str`
Initial commit 2020-03-09 10:11:07 +01:00			`"""`

			`import os`

			`from ansible.errors import AnsibleError`
			`from ansible.plugins.lookup import LookupBase`

			`CREDSTASH_INSTALLED = False`

			`try:`
			`import credstash`
			`CREDSTASH_INSTALLED = True`
			`except ImportError:`
			`CREDSTASH_INSTALLED = False`


			`class LookupModule(LookupBase):`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`def run(self, terms, variables=None, **kwargs):`
Initial commit 2020-03-09 10:11:07 +01:00			`if not CREDSTASH_INSTALLED:`
			`raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')`

Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`self.set_options(var_options=variables, direct=kwargs)`

			`version = self.get_option('version')`
			`region = self.get_option('region')`
			`table = self.get_option('table')`
			`profile_name = self.get_option('profile_name')`
			`aws_access_key_id = self.get_option('aws_access_key_id')`
			`aws_secret_access_key = self.get_option('aws_secret_access_key')`
			`aws_session_token = self.get_option('aws_session_token')`

			`context = dict(`
			`(k, v) for k, v in kwargs.items()`
			`if k not in ('version', 'region', 'table', 'profile_name', 'aws_access_key_id', 'aws_secret_access_key', 'aws_session_token')`
			`)`

			`kwargs_pass = {`
			`'profile_name': profile_name,`
			`'aws_access_key_id': aws_access_key_id,`
			`'aws_secret_access_key': aws_secret_access_key,`
			`'aws_session_token': aws_session_token,`
			`}`

Initial commit 2020-03-09 10:11:07 +01:00			`ret = []`
			`for term in terms:`
			`try:`
Lookups: use Ansible's config manager whenever possible (#5440) * Start using Ansible's config manager to handle options. * Docs improvements. * Fix documentation, make options actual lookup options. * The cyberarkpassword lookup does too strange things. * The onepassword lookups are converted in #4728, let's not interfere. * Improve docs. * Skip shelvefile as well. * Convert lmdb_kv. * Convert and fix credstash. * Convert manifold. * Drop chef_databag. * Convert dig. * Update examples. * Forgot the most important part. * Fix lmdb_kv docs. * Python 2.6 compatibility. * Convert AnsibleUnicode to str. * Load lookup with lookup loader. * Fix environment handling and error message checking. * Improve docs formatting. 2022-11-01 21:58:46 +01:00			`ret.append(credstash.getSecret(term, version, region, table, context=context, **kwargs_pass))`
Initial commit 2020-03-09 10:11:07 +01:00			`except credstash.ItemNotFound:`
			`raise AnsibleError('Key {0} not found'.format(term))`
			`except Exception as e:`
			`raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e))`

			`return ret`