onepassword_raw – fetch an entire item from 1Password
New in version 2.6.
Synopsis
-
onepassword_raw
wrapsop
command line utility to fetch an entire item from 1Password
Requirements
The below requirements are needed on the local master node that executes this lookup.
-
op
1Password command line utility. See https://support.1password.com/command-line/
Parameters
Parameter | Choices/Defaults | Configuration | Comments |
---|---|---|---|
_terms - / required | identifier(s) (UUID, name, or domain; case-insensitive) of item(s) to retrieve. | ||
master_password - added in 2.7 | Default: "None" | The password used to unlock the specified vault. aliases: vault_password | |
secret_key - added in 2.7 | The secret key used when performing an initial sign in. | ||
section - | Default: "None" | Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section. | |
subdomain - added in 2.7 | Default: "None" | The 1Password subdomain to authenticate against. | |
username - added in 2.7 | The username used to sign in. | ||
vault - | Default: "None" | Vault containing the item to retrieve (case-insensitive). If absent will search all vaults. |
Notes
Note
- This lookup will use an existing 1Password session if one exists. If not, and you have already performed an initial sign in (meaning
~/.op/config exists
), then only themaster_password
is required. You may optionally specifysubdomain
in this scenario, otherwise the last used subdomain will be used byop
. - This lookup can perform an initial login by providing
subdomain
,username
,secret_key
, andmaster_password
. - Due to the very sensitive nature of these credentials, it is highly recommended that you only pass in the minimal credentials needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength to the 1Password master password.
- This lookup stores potentially sensitive data from 1Password as Ansible facts. Facts are subject to caching if enabled, which means this data could be stored in clear text on disk or in a database.
- Tested with
op
version 0.5.3
Examples
- name: Retrieve all data about Wintermute debug: var: lookup('onepassword_raw', 'Wintermute') - name: Retrieve all data about Wintermute when not signed in to 1Password debug: var: lookup('onepassword_raw', 'Wintermute', subdomain='Turing', vault_password='DmbslfLvasjdl')
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw - | field data requested |
Status
- This lookup is not guaranteed to have a backwards compatible interface. [preview]
- This lookup is maintained by the Ansible Community. [community]
Authors
- Scott Buchanan (@scottsb)
- Andrew Zenk (@azenk)
- Sam Doran (@samdoran)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/plugins/lookup/onepassword_raw.html