community.general.onepassword – fetch field values from 1Password
Note
This plugin is part of the community.general collection (version 2.0.1).
To install it use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.onepassword.
Synopsis
-
onepasswordwraps theopcommand line utility to fetch specific field values from 1Password.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
-
op1Password command line utility. See https://support.1password.com/command-line/
Parameters
| Parameter | Choices/Defaults | Configuration | Comments |
|---|---|---|---|
| _terms string / required | identifier(s) (UUID, name, or subdomain; case-insensitive) of item(s) to retrieve. | ||
| field string | Default: "password" | field to return from each matching item (case-insensitive). | |
| master_password string | The password used to unlock the specified vault. aliases: vault_password | ||
| secret_key string | The secret key used when performing an initial sign in. | ||
| section string | Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section. | ||
| subdomain string | The 1Password subdomain to authenticate against. | ||
| username string | The username used to sign in. | ||
| vault string | Vault containing the item to retrieve (case-insensitive). If absent will search all vaults. |
Notes
Note
- This lookup will use an existing 1Password session if one exists. If not, and you have already performed an initial sign in (meaning
~/.op/config exists), then only themaster_passwordis required. You may optionally specifysubdomainin this scenario, otherwise the last used subdomain will be used byop. - This lookup can perform an initial login by providing
subdomain,username,secret_key, andmaster_password. - Due to the very sensitive nature of these credentials, it is highly recommended that you only pass in the minimal credentials needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength to the 1Password master password.
- This lookup stores potentially sensitive data from 1Password as Ansible facts. Facts are subject to caching if enabled, which means this data could be stored in clear text on disk or in a database.
- Tested with
opversion 0.5.3
Examples
# These examples only work when already signed in to 1Password
- name: Retrieve password for KITT when already signed in to 1Password
ansible.builtin.debug:
var: lookup('community.general.onepassword', 'KITT')
- name: Retrieve password for Wintermute when already signed in to 1Password
ansible.builtin.debug:
var: lookup('community.general.onepassword', 'Tessier-Ashpool', section='Wintermute')
- name: Retrieve username for HAL when already signed in to 1Password
ansible.builtin.debug:
var: lookup('community.general.onepassword', 'HAL 9000', field='username', vault='Discovery')
- name: Retrieve password for HAL when not signed in to 1Password
ansible.builtin.debug:
var: lookup('community.general.onepassword'
'HAL 9000'
subdomain='Discovery'
master_password=vault_master_password)
- name: Retrieve password for HAL when never signed in to 1Password
ansible.builtin.debug:
var: lookup('community.general.onepassword'
'HAL 9000'
subdomain='Discovery'
master_password=vault_master_password
username='[email protected]'
secret_key=vault_secret_key)
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
| Key | Returned | Description |
|---|---|---|
| _raw list / elements=string | success | field data requested |
Authors
- Scott Buchanan (@scottsb)
- Andrew Zenk (@azenk)
- Sam Doran (@samdoran)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/community/general/onepassword_lookup.html