ansible lookup plugin for secrets stored in Password StoredSafe (by StoredSafe)
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

ansible-storedsafe lookup module

This is a lookup module for information stored in StoredSafe. Supports Ansible 2.4 or better.


This plugin requires Ansible v2.4 and the Python requests library.

It has been developed and tested using Python v2.7.12, on Ubuntu 16.04.3 LTS.

Most of the required libraries are installed by default, but requests require manual installation.


sudo -H pip install requests

Lookup plugins can be loaded from several different locations similar to $PATH, see lookup_plugins.

The source for the plugin can be pointed to via a requirements.yml file, and accessed via ansible-galaxy.


Both the StoredSafe server address and the StoredSafe token can be read from the file $HOME/.storedsafe.rc, which can be created and maintained by storedsafe-tokenhandler.

Or it can be done with environment variables or Ansible variables. If any parameter is set by both an environment variable and an alternative means, the environment variable takes precedence.

To specify the address to the StoredSafe server:


To specify a StoredSafe auth token:

export STOREDSAFE_TOKEN=<StoredSafe-Token>

The StoredSafe token intentionally can not be set via an Ansible variable, as this is generally checked into revision control and would be a bad security practice, defeating the purpose of using StoredSafe.

The plugin also supports specifying the list of trusted CAs either thru by using the STOREDSAFE_CABUNDLE variables which can either point to a single file or a directory.

export STOREDSAFE_CABUNDLE=/etc/pki/tls/ca.crt
export STOREDSAFE_CABUNDLE=/etc/pki/tls

To disable verification (NOT RECOMMENDED) the STOREDSAFE_SKIP_VERIFY variable can be set.


The StoredSafe server address, CA bundle path and validation can also be set via the Ansible variables storedsafe_server, storedsafe_cabundle, and storedsafe_skip_verify, respectively.


ansible-storedsafe works as any other lookup plugin.

- debug: msg="{{ lookup('storedsafe', '919/password') }}"

Where 919is the object-id of the requested item. The object-id is visible in the StoredSafe web-ui.

# templates/example.j2

# Generic secrets
{{ lookup('storedsafe', '919/password') }} # foobar
# Specify field inside lookup
{{ lookup('storedsafe', '919/cryptedinfo') }} # foobar

If the desired value is stored within StoredSafe, within a task, the lookup can also be performed with:

- 919/objectname
- 919/username
- 919/password

And then referenced with "{{ item }}"

This only work within tasks, though. You can not use the with_storedsafe: syntax within a variable definition file.


To Johan Haals for writing the ansible-vault lookup module, which has been an inspiration and boilerplate for this plugin.

Limitations / Known issues

Referencing objects via it's objectname is not yet implemented.