The op_data module provides a Bolt inventory plugin for fetching data from 1password vaults. This plugin wraps the 1password CLI tool, op, and is designed to support interactive execution of bolt commands from an administrator's workstation.

The op_data plugin requires the 1password CLI tool, op, to be installed and available on the $PATH. Mac users can install op via the Homebrew package manager:

brew cask install 1password-cli

Windows users can install op via the Chocolately package manager:

choco install 1password-cli

Direct downloads and instructions for other operating systems can be found at:

https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool

Once the CLI is installed, use the op signin command to connect 1password accounts. The my.1password.com domain is used by personal accounts while enterprise accounts typically use a custom domain: <org-name>.1password.com. The op_data plugin supports using data from multiple account domains at once. More information on connecting accounts to the op tool can be found here:

https://support.1password.com/command-line/#appendix-session-management

Once the op CLI tool is installed and connected to 1password account(s), the op_data plugin can be used with a Bolt project by adding an entry to the Puppetfile:

mod 'sharpie-op_data', '0.2.0'

Next, the inventory.yaml file can be configured to retrieve values using _plugin: op_data. For example, to make passwords or login credentials available as variables:

vars:
  do_token:
    _plugin: op_data
    account: my.1password.com
    vault: 'op_data Test Vault'
    id: 'DigitalOcean API Token'
    select: details.password

  vsphere_login:
    _plugin: op_data
    account: example-corp.1password.com
    vault: 'Personal'
    id: 'vSphere Credential'
    select: |
      {user: details.fields[?designation == 'username'].value|[0],
       pass: details.fields[?designation == 'password'].value|[0]}

The account parameter is required and specifies which 1password account domain to look data up in. The id parameter is also required and gives the name or UUID of the data item to look up. The vault parameter is optional, accepts a vault name or UUID, and is used to restrict a lookup to a specific vault in a domain. The inventory.yaml file may be configured to look up data from multiple account domains.

The select parameter can be used to extract or re-shape data using JMESPath expressions:

https://jmespath.org/tutorial.html

The jp CLI tool is useful for developing select expressions that work against specific 1password records:

eval $(op signin '<account>')

op get item '<id>' [--vault '<vault>'] | jp '<select>'

The op_data plugin looks for 1password account credentials set in OP_SESSION_<account> environment variables created by op signin and will raise an error if credentials are missing. A typical user session is shown below:

# Sign into 1password accounts (Linux or macOS)
eval $(op signin my.1password.com)
eval $(op signin example-corp.1password.com)

# Sign into 1password accounts (Windows)
Invoke-Expression $(op signin my.1password.com)
Invoke-Expression $(op signin example-corp.1password.com)

# Run bolt commands that use 1password data via inventory.yaml
bolt plan run ...

# Sign out of 1password, or close the terminal session
op signout my.1password.com
op signout example-corp.1password.com

• Session credentials generated by op signin expire after 30 minutes. This expiration is not configurable as of the time of writing. Keep this time limit in mind when using long-running plans.