The op_data
module provides a Bolt inventory plugin for fetching
data from 1password vaults. This plugin wraps the 1password CLI tool, op
,
and is designed to support interactive execution of bolt
commands from
an administrator's workstation.
The op_data
plugin requires the 1password CLI tool, op
, to be installed
and available on the $PATH
. Mac users can install op
via the
Homebrew package manager:
brew cask install 1password-cli
Windows users can install op
via the Chocolately package manager:
choco install 1password-cli
Direct downloads and instructions for other operating systems can be found at:
https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool
Once the CLI is installed, use the op signin
command to connect 1password
accounts. The my.1password.com
domain is used by personal accounts while
enterprise accounts typically use a custom domain: <org-name>.1password.com
.
The op_data
plugin supports using data from multiple account domains at once.
More information on connecting accounts to the op
tool can be found here:
https://support.1password.com/command-line/#appendix-session-management
Once the op
CLI tool is installed and connected to 1password account(s),
the op_data
plugin can be used with a Bolt project by adding an entry
to the Puppetfile
:
mod 'sharpie-op_data', '0.2.0'
Next, the inventory.yaml
file can be configured to retrieve values
using _plugin: op_data
. For example, to make passwords or login
credentials available as variables:
vars:
do_token:
_plugin: op_data
account: my.1password.com
vault: 'op_data Test Vault'
id: 'DigitalOcean API Token'
select: details.password
vsphere_login:
_plugin: op_data
account: example-corp.1password.com
vault: 'Personal'
id: 'vSphere Credential'
select: |
{user: details.fields[?designation == 'username'].value|[0],
pass: details.fields[?designation == 'password'].value|[0]}
The account
parameter is required and specifies which 1password account
domain to look data up in. The id
parameter is also required and gives
the name or UUID of the data item to look up. The vault
parameter is
optional, accepts a vault name or UUID, and is used to restrict a lookup to a
specific vault in a domain. The inventory.yaml
file may be configured to
look up data from multiple account domains.
The select
parameter can be used to extract or re-shape data using
JMESPath expressions:
https://jmespath.org/tutorial.html
The jp
CLI tool is useful for developing select
expressions that
work against specific 1password records:
eval $(op signin '<account>')
op get item '<id>' [--vault '<vault>'] | jp '<select>'
The op_data
plugin looks for 1password account credentials set in
OP_SESSION_<account>
environment variables created by op signin
and will raise an error if credentials are missing. A typical user
session is shown below:
# Sign into 1password accounts (Linux or macOS)
eval $(op signin my.1password.com)
eval $(op signin example-corp.1password.com)
# Sign into 1password accounts (Windows)
Invoke-Expression $(op signin my.1password.com)
Invoke-Expression $(op signin example-corp.1password.com)
# Run bolt commands that use 1password data via inventory.yaml
bolt plan run ...
# Sign out of 1password, or close the terminal session
op signout my.1password.com
op signout example-corp.1password.com
- Session credentials generated by
op signin
expire after 30 minutes. This expiration is not configurable as of the time of writing. Keep this time limit in mind when using long-running plans.