[1Password] Support 1Password Connect

[automation-sowi]

Summary

While working with AWX EE, I need to connect to my 1Password vault. The right way to do so is by using a 1Password Connect server to perform the automation. Alas, when doing so, the onepassword/onepassword_raw lookups are trying to perform the command op account list while it is not necessary at all. Even worse, it is not supported when using 1Password Connect, causing a fatal failure.

See the following image:

Issue Type

Feature Idea

Component Name

onepassword

Additional Information

Run the following with the command:

OP_CONNECT_HOST=op-connect.example.com
OP_CONNECT_TOKEN=my-very-secret-token
ansible-playbook op.yml

# op.myl
- debug: msg={{ lookup('onepassword', 'My vault entry', field='username') }}

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/onepassword_info.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @Rylon click here for bot help

[felixfontein]

!component =plugins/lookup/onepassword.py !component +plugins/lookup/onepassword_raw.py

[ansibullbot]

Files identified in the description:

• plugins/lookup/onepassword.py
• plugins/lookup/onepassword_raw.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @azenk @samdoran @scottsb click here for bot help

[samdoran]

Very interesting. I haven't used 1Password Connect at all but would love to add it to the plugins.

[automation-sowi]

I don't suppose it would be that hard compared to the rest of the work already done, with obviously the due respect to contributors. All in all, in integrates really well with AWX, adding custom credential type for that case, which will then be easily used with any job template. In fact, I am asking it because there is no real way to use an AWX EE with 1Password unless being really hacky, because you can't create your session in advance (and retain it). The OP_SESSION you would obtain would not remain across your plays as it has to be from the controller to have this environment variable, not your hosts. Therefore, you would have to pass the credentials in every onepassword lookups. Definitely not something we should do.

So yes, in the end I guess it would be a very nice feature to have and good for automation in general as it is what 1Password Connect is meant for :)

[samdoran]

Is it not possible to pass env vars into an EE? If it's just a container, that shouldn't be difficult.

Regardless, the plugin needs to be updated to support 1Password Connect. What is a simple command to run to detect if 1Password Connect is in use?

[automation-sowi]

It is as you can see in my screenshot, the two environment variables OP_CONNECT_HOST and OP_CONNECT_TOKEN are recognized. But the session is limited in time. And the config file would be empty once you start the container again. I think the only possible way would be to mount a volume dedicated to logging in and propagating the session. But that's again hacky as hell. Which is exactly why I ended up using OP Connect.

To detect if it is in use, 1Password CLI simply watch if the environment variables said above are set. If so, then OP Connect is used. It is exactly why it asks to unset them if you ever want to perform the op account list command. The op connect commands are there to manage the 1Password's side of it, not your session or anything else as far as I know (and understood it)

[gunzy83]

I have just run into this also trying to run Ansible in a kubernetes pod connecting to the connect server in the same cluster. I do believe that if op account list was prevented from being run when the environment variables are set this would work. I will try to patch this when I have time and raise a PR (unless someone gets there first).

PS. I confirmed connect is working by just running commands with the cli in the container and the operator in the cluster is also working fine.