onepassword lookup with service account

[Domi-cc]

Summary

1password has new service accounts. via lookup should be possible to get secrets.

we can offer to contribute, but want to know, do you want a new lookup file for that, or should we try to expand: plugins/lookup/onepassword.py ?

Issue Type

Feature Idea

Component Name

lookup onepassword

Additional Information

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/lookup/onepassword.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @azenk @samdoran @scottsb
click here for bot help

[jansagurna]

I would also like this feature and can help with a contribution.

[samdoran]

Support for service accounts should be added to the existing onepassword and onepassword_raw lookups. The OP_SERVICE_ACCOUNT_TOKEN needs to be added to the environment running op commands and should be a new parameter

[Domi-cc]

Hey @samdoran added the service_account_token. Works everything fine. Please review and feel free to change or improve the PR. Thanks!

[BlexToGo]

I was looking at using service accounts for my Ansible playbook since I need an initial sign in and don't want to use my master password with unrestricted read/write access to all vaults for security reasons, so I tried out @Domi-cc's fork directly instead of waiting for the 7.1.0 release by installing it via:

ansible-galaxy collection install [email protected]:Domi-cc/community.general.git,onepassword-lookup-add-service-accounts

And I can confirm that it works as expected. Had just to pass my generated token with the service_account_token parameter and could retrieve secrets from the corresponding vault.

[samdoran]

This is indeed a much better way to do things than passing around the master password. I'm glad service account tokens are a thing now.