Question about how to use 1password within playbooks

bsssysadmin
bsssysadmin
Community Member
edited January 2023 in CLI

Hey everyone, Im extremely new to Ansible, so please excuse all of the mistakes Im about to make in this post. I have a handful of linux servers at work and I want to use ansible to update them regularly. We use 1password, and I have the 1password CLI installed and working on the server I have ansible installed on. I can successfully pull passwords with this test playbook:

  • hosts: localhost
    tasks:

  • name:
    debug:
    var: lookup("onepassword", "linuxserver1_localadmin")

Im running into a wall trying to figure out how to use 1password within a playbook to specify which password to use when connecting to a server. All of the servers will use the same username, but each has a different password. I know I can put ansible_password=xxxxx in vars, but thats plain text so obviously I cant do that. So within the host file right now I have:

[linuxserver1]
10.x.x.x
[linuxserver1:vars]
ansible_user=linuxserver1_localadmin

[linuxserver2]
10.x.x.x
[linuxserver2:vars]
ansible_user=linuxserver2_localadmin

My goal is to run a very simple playbook like this (pseudo-yaml):

  • hosts: linuxserver1
    tasks:
    • name: run updates
      vars:
      • password: lookup("onepassword", "linuxserver1_localadmin")
        command: yum update -y
        • hosts: linuxserver2
          tasks:
    • name: run updates
      vars:
      • password: lookup("onepassword", "linuxserver2_localadmin")
        command: yum update -y

Eventually in the hosts file I will have linuxserver3/4/5 etc. Is there a way to specify the password with 1pass in the hosts file, or is it done in the playbook like Im imagining in the pseudo-code?

Thanks for any and all help!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Jack.P_1P
    Jack.P_1P

    Hi @bsssysadmin:

    First I'd like to apologize in the delay in responding here. One solution would to be use individual host targets, rather than a group and store each server's account details as a separate Login item. This would allow you to specify the specific name of an item you'd like to look up, so the pseudo-yaml would look something like this:

    hosts: server1
....
password: lookup("onepassword","server1_login")
.....
hosts: server2
...
password: lookup("onepassword","server2_login")
... and so on

    Let me know if that makes sense!

    Jack

  • gunzy83
    gunzy83
    Community Member

    Personally I would recommend using SSH keys over passwords and use the 1password SSH agent for the connections. This works really well. Though you did say you were running Ansible on a server so if you are SSHing into that server SSH agent forwarding would also work as mentioned in this thread: https://1password.community/discussion/127482/feature-request-using-1p-ssh-from-inside-a-local-docker-container

    If you are insistent on using passwords, use one of the variables documented here and set it using the onepassword filter in either groups_vars/all.yml or host_vars/hostname.yml for specific host passwords:

    ansible_ssh_password: "{{ lookup('community.general.onepassword', 'server1_login', field='password', vault='Private') }}"

    PS if you are using op CLI v2, make sure you update the community.general ansible collection to 6.3.0 to get the v2 patch.

This discussion has been closed.