CLI command fails when run with Ansible playbook

balajidutt
balajidutt
Community Member
in CLI

Hello,

I'm struggling to try and get an Ansible playbook that updates a Password in my 1Password vault. Here is the simplified playbook:

- name: Configuration of the Bootstrap server
  hosts: host1
  vars:
    onepass_item: FreeIPA (Admin)
    onepass_file: /tmp/Item.json

  tasks:
    - name: Verify that 1Password CLI is available on Controller node.
      ansible.builtin.stat:
        path: "/usr/bin/op"
      delegate_to: localhost
      register: onepass_cli

    - name: Verify that 1Password CLI is available on Controller node.
      ansible.builtin.assert:
        that:
          - onepass_cli.stat.exists
        fail_msg: "1Password CLI could not be found"
      delegate_to: localhost

    - name: Verify that 1Password CLI is connected to a 1Password Vault on the Controller node.
      ansible.builtin.shell:
        cmd: "/usr/bin/op item get \"{{ onepass_item }}\" --fields username"
      delegate_to: localhost
      register: onepass_cli_output
      failed_when: onepass_cli_output.rc != 0
      changed_when: onepass_cli_output.rc != 0

    - name: Generate a new random password for the FreeIPA Admin User
      ansible.builtin.set_fact:
        refresh_ipa_admin_password: "{{ lookup('ansible.builtin.password', '/dev/null length=20 chars=ascii_letters,digits') }}"
      no_log: true

    - name: Download the item in the 1Password Vault to a JSON file.
      ansible.builtin.shell:
        cmd: "/usr/bin/op item get \"{{ onepass_item }}\" --format json > {{ onepass_file }}"
      delegate_to: localhost
      register: onepass_cli_output
      failed_when: onepass_cli_output.rc != 0
      changed_when: onepass_cli_output.rc != 0

    - name: Modify JSON file
      ansible.builtin.shell:
        cmd: jq '.fields |= map(if .id == "password" then .value = "{{ refresh_ipa_admin_password }}" else . end)' {{ onepass_file }} > /tmp/Item_modified.json && mv /tmp/Item_modified.json {{ onepass_file }}
      delegate_to: localhost
      register: result
      changed_when: result.rc != 0

    - name: Update the 1Password Vault entry for login via UI
      ansible.builtin.shell:
        cmd: "/usr/bin/op item edit \"{{ onepass_item }}\" --template={{ onepass_file }}"
      delegate_to: localhost

The final step Update the 1Password Vault entry for login via UI fails with the error

"stderr": "[ERROR] 2024/01/13 16:19:20 cannot edit an item from template and stdin at the same time",

However, when I run the command /usr/bin/op item edit "FreeIPA (Admin)" --template=/tmp/Item.json from a interactive shell the command runs correctly.

I'm using 1Password CLI 2.24.0.

I'm not able to figure out why this is not working when run with Ansible. Any help would be very welcome!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • balajidutt
    balajidutt
    Community Member
    edited March 9

    I pinged this thread to the 1Password Support account on X/Twitter who suggested I raise a Support ticket.

    I got a suggestion on how to fix this, which required some fiddling with the syntax but in the end the following ansible step works as expected:

        - name: Update the 1Password Vault entry using the JSON file for login via UI
      ansible.builtin.shell:
      args:
        cmd: "cat {{ onepass_file }} | /usr/bin/op item edit \"{{ onepass_item }}\""
        executable: /bin/bash
      delegate_to: localhost

    Yes you can gnash your teeth about the UUOC here but hey it works and this is code for my homelab, and working code is all I need :-)

This discussion has been closed.