W3cubDocs

/Ansible

community.general.onepassword_ssh_key lookup – Fetch SSH keys stored in 1Password

Note

This lookup plugin is part of the community.general collection (version 10.7.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this lookup plugin, see Requirements for details.

To use it in a playbook, specify: community.general.onepassword_ssh_key.

New in community.general 10.3.0

Synopsis
Requirements
Terms
Keyword parameters
Notes
Examples
Return Value

Synopsis

community.general.onepassword_ssh_key wraps op command line utility to fetch SSH keys from 1Password.

Requirements

The below requirements are needed on the local controller node that executes this lookup.

op 1Password command line utility version 2 or later.
See https://support.1password.com/command-line/

Terms

Parameter	Comments
Terms list / elements=string / required	Identifier(s) (case-insensitive UUID or name) of item(s) to retrieve.

Keyword parameters

This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following examples: lookup('community.general.onepassword_ssh_key', key1=value1, key2=value2, ...) and query('community.general.onepassword_ssh_key', key1=value1, key2=value2, ...)

Parameter	Comments
account_id string	The account ID to target.
connect_host string added in community.general 8.1.0	The host for 1Password Connect. Must be used in combination with `connect_token`. Configuration: Environment variable: `OP_CONNECT_HOST`
connect_token string added in community.general 8.1.0	The token for 1Password Connect. Must be used in combination with `connect_host`. Configuration: Environment variable: `OP_CONNECT_TOKEN`
domain string	Domain of 1Password. Default: `"1password.com"`
master_password aliases: vault_password string	The password used to unlock the specified vault.
secret_key string	The secret key used when performing an initial sign in.
section string	Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section.
service_account_token string	The access key for a service account. Only works with 1Password CLI version 2 or later. Configuration: Environment variable: `OP_SERVICE_ACCOUNT_TOKEN` added in community.general 8.2.0
ssh_format boolean	Output key in SSH format if `true`. Otherwise, outputs in the default format (PKCS#8). Choices: `false` ← (default) `true`
subdomain string	The 1Password subdomain to authenticate against.
username string	The username used to sign in.
vault string	Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.

Notes

Note

When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters: lookup('community.general.onepassword_ssh_key', term1, term2, key1=value1, key2=value2) and query('community.general.onepassword_ssh_key', term1, term2, key1=value1, key2=value2)
By default, it returns the private key value in PKCS#8 format, unless ssh_format=true is passed.
The pluging works only for SSHKEY type items.
This plugin requires op version 2 or later.
This lookup will use an existing 1Password session if one exists. If not, and you have already performed an initial sign in (meaning ~/.op/config, ~/.config/op/config or ~/.config/.op/config exists), then only the master_password is required. You may optionally specify subdomain in this scenario, otherwise the last used subdomain will be used by op.
This lookup can perform an initial login by providing subdomain, username, secret_key, and master_password.
Can target a specific account by providing the account_id.
Due to the very sensitive nature of these credentials, it is highly recommended that you only pass in the minimal credentials needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength to the 1Password master password.
This lookup stores potentially sensitive data from 1Password as Ansible facts. Facts are subject to caching if enabled, which means this data could be stored in clear text on disk or in a database.
Tested with op version 2.7.2.

Examples

---
- name: Retrieve the private SSH key from 1Password
  ansible.builtin.debug:
    msg: "{{ lookup('community.general.onepassword_ssh_key', 'SSH Key', ssh_format=true) }}"

Return Value

Key	Description
Return value list / elements=string	Private key of SSH keypair. Returned: success

Authors

Mohammed Babelly (@mohammedbabelly20)

Collection links

© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/onepassword_ssh_key_lookup.html