Note
This plugin is part of the community.general collection (version 3.8.1).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.onepassword
.
onepassword
wraps the op
command line utility to fetch specific field values from 1Password.The below requirements are needed on the local controller node that executes this lookup.
op
1Password command line utility. See https://support.1password.com/command-line/
Parameter | Choices/Defaults | Configuration | Comments |
---|---|---|---|
_terms string / required | identifier(s) (UUID, name, or subdomain; case-insensitive) of item(s) to retrieve. | ||
domain string added in 3.2.0 of community.general | Default: "1password.com" | Domain of 1Password. Default is 1password.com. | |
field string | Default: "password" | field to return from each matching item (case-insensitive). | |
master_password string | The password used to unlock the specified vault. aliases: vault_password | ||
secret_key string | The secret key used when performing an initial sign in. | ||
section string | Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section. | ||
subdomain string | The 1Password subdomain to authenticate against. | ||
username string | The username used to sign in. | ||
vault string | Vault containing the item to retrieve (case-insensitive). If absent will search all vaults. |
Note
~/.op/config exists
), then only the master_password
is required. You may optionally specify subdomain
in this scenario, otherwise the last used subdomain will be used by op
.subdomain
, username
, secret_key
, and master_password
.op
version 0.5.3# These examples only work when already signed in to 1Password - name: Retrieve password for KITT when already signed in to 1Password ansible.builtin.debug: var: lookup('community.general.onepassword', 'KITT') - name: Retrieve password for Wintermute when already signed in to 1Password ansible.builtin.debug: var: lookup('community.general.onepassword', 'Tessier-Ashpool', section='Wintermute') - name: Retrieve username for HAL when already signed in to 1Password ansible.builtin.debug: var: lookup('community.general.onepassword', 'HAL 9000', field='username', vault='Discovery') - name: Retrieve password for HAL when not signed in to 1Password ansible.builtin.debug: var: lookup('community.general.onepassword' 'HAL 9000' subdomain='Discovery' master_password=vault_master_password) - name: Retrieve password for HAL when never signed in to 1Password ansible.builtin.debug: var: lookup('community.general.onepassword' 'HAL 9000' subdomain='Discovery' master_password=vault_master_password username='[email protected]' secret_key=vault_secret_key)
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw list / elements=string | success | field data requested |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/onepassword_lookup.html