feat: enhance 1Password lookup functionality with vault ID support and concealment option

2025-03-11 15:58:27 +01:00 · 2025-03-11 15:58:27 +01:00 · d787b25917
commit d787b25917
parent 47fb912c15
3 changed files with 41 additions and 10 deletions
--- a/config/ansible/README.md
+++ b/config/ansible/README.md
@ -14,8 +14,11 @@ password: "{{ lookup('onepassword', 'item-name') }}"
 # Fetch specific field
 api_key: "{{ lookup('onepassword', 'item-name', field='api_key') }}"
-# Fetch from specific vault
+# Fetch from specific vault (using vault ID)
-database_password: "{{ lookup('onepassword', 'database', field='password', vault='Development') }}"
+database_password: "{{ lookup('onepassword', 'database', field='password', vault='j7nmhqlsjmp2r6umly5t75hzb4') }}"
 # Fetch a field without revealing it (for non-password fields)
 note: "{{ lookup('onepassword', 'item-name', field='notes', reveal=false) }}"
 ```
 ### Prerequisites
@ -24,5 +27,13 @@ database_password: "{{ lookup('onepassword', 'database', field='password', vault
 2. Sign in to 1Password using `op signin`
 3. Service account should be properly configured
 ### Finding Vault IDs
 To find your vault ID:
 ```bash
 op vault list
 ```
 For more information, see the [1Password CLI documentation](https://developer.1password.com/docs/cli).
 ```
--- a/config/ansible/plugins/lookup/onepassword.py
+++ b/config/ansible/plugins/lookup/onepassword.py
@ -17,14 +17,22 @@ DOCUMENTATION = """
            required: false
            default: password
        vault:
-            description: the vault to fetch from
+            description: the vault to fetch from (name or ID)
            required: false
        reveal:
            description: whether to reveal concealed fields
            required: false
            default: true
 """
 EXAMPLES = """
 - name: fetch password for an item
  debug:
-    msg: "{{ lookup('onepassword', 'storage-box', field='password') }}"
+    msg: "{{ lookup('onepassword', 'xxxx', field='password') }}"
 - name: fetch password from specific vault
  debug:
    msg: "{{ lookup('onepassword', 'xxxx', field='password', vault='xxxx') }}"
 """
 RETURN = """
@ -47,12 +55,17 @@ class LookupModule(LookupBase):
        item = terms[0]
        field = kwargs.get('field', 'password')
        vault = kwargs.get('vault', '')
        reveal = kwargs.get('reveal', True)
-        vault_arg = []
+        cmd = ['op', 'item', 'get', item, '--field', field]
        # Add vault parameter if specified
        if vault:
-            vault_arg = ['--vault', vault]
+            cmd.extend(['--vault', vault])
-
+        
-        cmd = ['op', 'item', 'get', item, '--field', field] + vault_arg
+        # Add reveal flag for concealed fields
        if reveal and field.lower() in ['password', 'secret', 'token', 'key']:
            cmd.append('--reveal')
        display.vvv(f"Executing command: {' '.join(cmd)}")
@ -65,4 +78,11 @@ class LookupModule(LookupBase):
            )
            return [result.stdout.strip()]
        except subprocess.CalledProcessError as e:
-            raise AnsibleError(f"Error fetching from 1Password: {e.stderr}")
+            error_msg = e.stderr.strip()
            display.warning(f"Error executing 1Password CLI: {error_msg}")
            display.warning(f"Command used: {' '.join(cmd)}")
            if "not found" in error_msg:
                return [f"Secret '{item}' not found in 1Password"]
            raise AnsibleError(f"Error fetching from 1Password: {error_msg}")
--- a/config/ansible/tasks/servers/cifs.yml
+++ b/config/ansible/tasks/servers/cifs.yml
@ -18,7 +18,7 @@
    dest: /root/.smbcredentials
    content: |
      username=u451316
-      password={{ lookup('onepassword', 'storage-box', field='password') | default('CHANGE_ME') }}
+      password={{ lookup('onepassword', '5j5y5axfjr3f3sn5nixb6htg4y', field='password', vault='j7nmhqlsjmp2r6umly5t75hzb4') | default('CHANGE_ME') }}
    mode: '0600'
 - name: Add fstab entry for storage-box