Lookup plugin

[mnaser]

Summary

Collection does not have a lookup module, making it very hard to use it inside things like group_vars.

Use cases

It's much more useful to be able to put things inside group vars using a lookup module than having a whole module call to make these, also, it allows you to retrieve the secret from the running host.

Proposed solution

An Ansible lookup module :)

Is there a workaround to accomplish this today?

Not really, working with a large number of secrets makes this very hard.

References & Prior Work

[azrdev]

There's community.general.onepassword_lookup

[mnaser]

this doesnt work with the 1password connect I believe.

[azrdev]

according to https://developer.1password.com/docs/connect/connect-cli the oc CLI can also talk to 1pw connect, and since the onepassword_lookup plugin is only a wrapper around oc it should work then too.
Or am I mistaken?

[thewilli]

according to https://developer.1password.com/docs/connect/connect-cli the oc CLI can also talk to 1pw connect, and since the onepassword_lookup plugin is only a wrapper around oc it should work then too. Or am I mistaken?

Nevertheless, a native way without the need for any external dependency is very handy, especially when it comes to AWX or CI/CD-driven playbook execution

[sscheib]

While community.general.onepassword works fine with the op binary, I think an official solution that would not require the op binary but simply work by using the REST API of the connect server is more desirable. Especially since the collection is also published as a certified collection at Red Hat; I am sure customers will appreciate it 🙂.

I gave it a try to implement a lookup plugin for this collection today, but unfortunately, the code is very tailored around module usage. I think the majority of the current API class implementation would need to be refactored with lookup plugin usage in mind as lookup plugins work differently.

To the maintainers: Is this something you'd like to entertain? I am talking about a refactoring that adds the possibility to also work for a lookup plugin. If so, I might give it a shot. I am asking just because I don't want to make the effort and then ultimately the PR gets never touched or declined.

[mvgijssel]

Bonus points if this can use 1Password secret references!

[mvgijssel]

Very simple implementation vgijssel/setup@279608f

[mvgijssel]

I’ve developed an Ansible vars plugin in this commit that integrates seamlessly with 1Password. This plugin allows the use of 1Password secret references directly within a dedicated Ansible variables file for a specific host or group. For instance:

my_secret_variable: op://my-vault/some-secret/password

The variables file, such as ansible/group_vars/web.op.yaml, is loaded during the inventory build phase and remains cached for the entire playbook execution. This approach significantly enhances performance compared to using lookups.

If the 1Password team is interested, I’d be happy to submit a pull request to share this functionality!