Using CLI in Ansible playbooks

rnot

Greetings,

I have been working on a way to have credentials and secrets used by Ansible playbooks to be stored in a central location, so that they can be managed in a much more automated way. 1Password seems to fit the bill nicely, especially since the CLI tool runs on Linux and outputs in JSON. We are considering the enterprise version at this time.

I've got most everything working well with the exception of giving Ansible a way to update passwords in 1Password. Without this, I'm forced to have Ansible do the work of changing passwords on our internal systems, and then notifying somebody to manually update the password in 1Password. This is less than ideal.

As a workaround, I am considering using the CLI to delete an item and then re-create it. I lose history this way and this has more room for error being a multi-step process, but I would consider this if it's possible your team will add this feature in the future.

Before I continue my work on this, I'm posting to find out if you think deleting & creating items is a reasonable method. Or maybe there is another method you can recommend that I'm not seeing.

Thank you.

---

1Password Version: 0.5.5
Extension Version: Not Provided
OS Version: RHEL 7
Sync Type: Not Provided

cohix

@rnot thanks for writing in. We do want to provide the edit item funtionality in the future, but we don't have a timeline for it. We want to entirely re-do the way the CLI works with items, so we will likely build the edit functionality as part of that refactor.

Also, I do believe there is a community integration with Ansible already, I would suggest looking around on GitHub :)

rnot

Thanks @cohix. I understand that 1Password has priorities in other areas and you don't want to commit to anything - but not really the question I asked. Based on the answer though, I'll assume that that the deletion then creation idea I had is not a good one, and no alternative method is available.

Github and the Ansible community are great resources, but the 1password integrations are limited to the CLI functionality however (since it does not appear there is an API).

cohix

@rnot I'm sorry I did not address your question about the delete -> create flow. I would not suggest going down that route, but we have had people do it and be successful. Since we will eventually add edit item, then you could use delete/create for now, and then switch to the new form when we release it, but it's up to you to decide if you want to rely on a two-step process, as you say.

glyph

I would not suggest going down that route

I'm very curious why you wouldn't suggest it. What are the problems? It seems like password history can be preserved via the passwordHistory field, which is even present in the templates. There's a race condition here which is definitely unfortunate, but hopefully soft-delete will help with recovering any information that is required.

cohix

@glyph simply because it is a two-step process. If you're running this in an automated fashion, there's just more things that can go wrong. That said, there have been people successful with this approach, so if you are alright with the increased possibility of something going wrong, then feel free!

You are correct that since items are trashed and not truly deleted, anything lost can be recovered, so long as the trash is not emptied.