community.general.onepassword_ssh_key lookup – Fetch SSH keys stored in 1Password
Note
This lookup plugin is part of the community.general collection (version 10.3.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
You need further requirements to be able to use this lookup plugin,
see Requirements for details.
To use it in a playbook, specify: community.general.onepassword_ssh_key.
New in community.general 10.3.0
Synopsis
community.general.onepassword_ssh_key wraps
opcommand line utility to fetch SSH keys from 1Password.
Requirements
The below requirements are needed on the local controller node that executes this lookup.
op1Password command line utility version 2 or later.
Terms
Keyword parameters
This describes keyword parameters of the lookup. These are the values key1=value1, key2=value2 and so on in the following
examples: lookup('community.general.onepassword_ssh_key', key1=value1, key2=value2, ...) and query('community.general.onepassword_ssh_key', key1=value1, key2=value2, ...)
Parameter |
Comments |
|---|---|
The account ID to target. |
|
The host for 1Password Connect. Must be used in combination with Configuration:
|
|
The token for 1Password Connect. Must be used in combination with Configuration:
|
|
Domain of 1Password. Default: |
|
The password used to unlock the specified vault. |
|
The secret key used when performing an initial sign in. |
|
Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section. |
|
The access key for a service account. Only works with 1Password CLI version 2 or later. Configuration:
|
|
Output key in SSH format if Choices:
|
|
The 1Password subdomain to authenticate against. |
|
The username used to sign in. |
|
Vault containing the item to retrieve (case-insensitive). If absent will search all vaults. |
Notes
Note
When keyword and positional parameters are used together, positional parameters must be listed before keyword parameters:
lookup('community.general.onepassword_ssh_key', term1, term2, key1=value1, key2=value2)andquery('community.general.onepassword_ssh_key', term1, term2, key1=value1, key2=value2)By default, it returns the private key value in PKCS#8 format, unless
ssh_format=trueis passed.The pluging works only for
SSHKEYtype items.This plugin requires
opversion 2 or later.This lookup will use an existing 1Password session if one exists. If not, and you have already performed an initial sign in (meaning
~/.op/config,~/.config/op/configor~/.config/.op/configexists), then only themaster_passwordis required. You may optionally specifysubdomainin this scenario, otherwise the last used subdomain will be used byop.This lookup can perform an initial login by providing
subdomain,username,secret_key, andmaster_password.Can target a specific account by providing the
account_id.Due to the very sensitive nature of these credentials, it is highly recommended that you only pass in the minimal credentials needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength to the 1Password master password.
This lookup stores potentially sensitive data from 1Password as Ansible facts. Facts are subject to caching if enabled, which means this data could be stored in clear text on disk or in a database.
Tested with
opversion 2.7.2.
Examples
- name: Retrieve the private SSH key from 1Password
ansible.builtin.debug:
msg: "{{ lookup('community.general.onepassword_ssh_key', 'SSH Key', ssh_format=true) }}"