community.general.onepassword_raw – fetch an entire item from 1Password

Note

This plugin is part of the community.general collection (version 1.3.6).

To install it use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.onepassword_raw.

Synopsis

• onepassword_raw wraps op command line utility to fetch an entire item from 1Password

Requirements

The below requirements are needed on the local controller node that executes this lookup.

• op 1Password command line utility. See https://support.1password.com/command-line/

Parameters

Parameter	Choices/Defaults	Configuration	Comments
_terms string / required			identifier(s) (UUID, name, or domain; case-insensitive) of item(s) to retrieve.
master_password string			The password used to unlock the specified vault. aliases: vault_password
secret_key string			The secret key used when performing an initial sign in.
section string			Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section.
subdomain string			The 1Password subdomain to authenticate against.
username string			The username used to sign in.
vault string			Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.

Notes

Note

• This lookup will use an existing 1Password session if one exists. If not, and you have already performed an initial sign in (meaning ~/.op/config exists), then only the master_password is required. You may optionally specify subdomain in this scenario, otherwise the last used subdomain will be used by op.

• This lookup can perform an initial login by providing subdomain, username, secret_key, and master_password.

• Due to the very sensitive nature of these credentials, it is highly recommended that you only pass in the minimal credentials needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength to the 1Password master password.

• This lookup stores potentially sensitive data from 1Password as Ansible facts. Facts are subject to caching if enabled, which means this data could be stored in clear text on disk or in a database.

• Tested with op version 0.5.3

Examples

- name: Retrieve all data about Wintermute
  ansible.builtin.debug:
    var: lookup('community.general.onepassword_raw', 'Wintermute')

- name: Retrieve all data about Wintermute when not signed in to 1Password
  ansible.builtin.debug:
    var: lookup('community.general.onepassword_raw', 'Wintermute', subdomain='Turing', vault_password='DmbslfLvasjdl')

Return Values

Common return values are documented here, the following are the fields unique to this lookup:

Key	Returned	Description
_raw list / elements=dictionary	success	field data requested

Authors

• Scott Buchanan (@scottsb)

• Andrew Zenk (@azenk)

• Sam Doran (@samdoran)