Closed
Description
Summary
Onepassword lookup with a service account does not find the vault correctly. However op on the command line does. Also If I run op signin with before running the playbook, I can remvoe the subdomain and serviceaccount fields from the lookup and the playbook succeeds.
- name: Fetch a CIDR from 1Password
ansible.builtin.debug:
msg: "{{ lookup('community.general.onepassword', 'public key', field='cidr', vault='SOME-VAULT', subdomian='XXXXXXXXXXXXXXXXXX', service_account_token=op_sa_token) }}"
returns
TASK [Fetch a CIDR from 1Password] *********************************************************************************************************************************************
task path: /opt/ansible/playbooks/testing-tasks.yml:125
Thursday 20 March 2025 19:53:47 +0000 (0:00:00.026) 0:00:01.335 ********
fatal: [localhost]: FAILED! => {
"msg": "b'[ERROR] 2025/03/20 19:53:48 \"SOME_VAULT\" isn\\'t a vault in this account. Specify the vault with its ID or name.\\n'"
}
but once I'm logged in the op utility returns fine:
(.ansible) [XXXXXXXXXXX@XXXXXXXXXX ansible]$ op read op://SOME_VAULT/'public key'/cidr
72.107.215.236/32
(.ansible) [XXXXXXXXXX@XXXXXXXXXXXXX ansible]$
also, now I can adjust the task item to return fine:
- name: Fetch a CIDR from 1Password
ansible.builtin.debug:
msg: "{{ lookup('community.general.onepassword', 'public key', field='cidr', vault='SOME-VAULT') }}"
Thursday 20 March 2025 20:03:42 +0000 (0:00:00.025) 0:00:01.308 ********
ok: [localhost] => {
"msg": "72.107.215.236/32"
}
PLAY RECAP *********************************************************************************************************************************************************************
localhost : ok=5 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
current op environment:
(.ansible) [XXXXXXX@XXXXXXXXXXXXX ansible]$ op account list
(.ansible) [XXXXXXX@XXXXXXXXXXXXX ansible]$ op whoami
URL: https://XXXXXXXXXXXXXX.1password.com
Integration ID: XXXXXXXXXXXXXXXXXXXXXXXXX
User Type: SERVICE_ACCOUNT
Issue Type
Bug Report
Component Name
community.general.onepassword
Ansible Version
$ ansible --version
ansible [core 2.17.0]
config file = /opt/ansible/ansible.cfg
configured module search path = ['/opt/ansible/my_modules']
ansible python module location = /opt/ansible/.ansible/lib/python3.12/site-packages/ansible
ansible collection location = /opt/ansible/collections/ansible_collections
executable location = /opt/ansible/.ansible/bin/ansible
python version = 3.12.3 (main, Apr 15 2024, 17:09:49) [GCC 6.3.0 20170516] (/opt/ansible/.ansible/bin/python)
jinja version = 3.1.4
libyaml = TrueCommunity.general Version
$ ansible-galaxy collection list community.general
# /opt/ansible/collections/ansible_collections
Collection Version
----------------- -------
community.general 10.4.0Configuration
$ ansible-config dump --only-changed
BECOME_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/become']
CALLBACKS_ENABLED(/opt/ansible/ansible.cfg) = ['profile_tasks']
COLLECTIONS_PATHS(/opt/ansible/ansible.cfg) = ['/opt/ansible/collections/ansible_collections']
CONFIG_FILE() = /opt/ansible/ansible.cfg
DEFAULT_ACTION_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/action']
DEFAULT_ASK_VAULT_PASS(/opt/ansible/ansible.cfg) = False
DEFAULT_CACHE_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/cache']
DEFAULT_CALLBACK_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/callback']
DEFAULT_CONNECTION_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/connection']
DEFAULT_FILTER_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/filter']
DEFAULT_GATHERING(/opt/ansible/ansible.cfg) = smart
DEFAULT_HOST_LIST(/opt/ansible/ansible.cfg) = ['/opt/ansible/inventory/aws_ec2.yml']
DEFAULT_INVENTORY_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/inventory']
DEFAULT_LOCAL_TMP(/opt/ansible/ansible.cfg) = /home/ansadmin/.ansible/tmp/ansible-local-26526098qdpcodj
DEFAULT_LOG_PATH(/opt/ansible/ansible.cfg) = /opt/ansible/log/ansible.log
DEFAULT_LOOKUP_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/lookup']
DEFAULT_MANAGED_STR(/opt/ansible/ansible.cfg) = #Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
DEFAULT_MODULE_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/my_modules']
DEFAULT_MODULE_UTILS_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/my_module_utils']
DEFAULT_PRIVATE_KEY_FILE(/opt/ansible/ansible.cfg) = /home/ansadmin/.ssh/id_ed25519
DEFAULT_REMOTE_USER(/opt/ansible/ansible.cfg) = ansadmin
DEFAULT_ROLES_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/roles']
DEFAULT_STRATEGY_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/strategy']
DEFAULT_TERMINAL_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/terminal']
DEFAULT_TEST_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/test']
DEFAULT_VARS_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/vars']
DEFAULT_VAULT_PASSWORD_FILE(/opt/ansible/ansible.cfg) = /opt/ansible/.vault.pwd
DEPRECATION_WARNINGS(/opt/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/opt/ansible/ansible.cfg) = auto_silent
INVENTORY_ENABLED(/opt/ansible/ansible.cfg) = ['host_list', 'ini', 'yaml', 'script', 'aws_ec2']
PLUGIN_FILTERS_CFG(/opt/ansible/ansible.cfg) = /opt/ansible/plugin_filters.ymlOS / Environment
Amazon Linux 2023 6.1.94-99.176.amzn2023.aarch64
Steps to Reproduce
---
- name: Testing Playbook
hosts: "{{ host }}"
become: true
remote_user: ansadmin
become_user: root
tasks:
- name: Fetch a CIDR from 1Password
ansible.builtin.debug:
msg: "{{ lookup('community.general.onepassword', 'dherrington public key', field='cidr', vault='SOME_VAULT', subdomain=<1password account>, service_account_token=<very long service account token or var with the token>) }}" Expected Results
I expected to see this result from the playbook:
TASK [Fetch a CIDR from 1Password] *********************************************************************************************************************************************
Thursday 20 March 2025 22:05:23 +0000 (0:00:00.027) 0:00:01.319 ********
ok: [localhost] => {
"msg": "72.107.215.236/32"
}
PLAY RECAP *********************************************************************************************************************************************************************
localhost : ok=5 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Thursday 20 March 2025 22:05:25 +0000 (0:00:01.471) 0:00:02.791 ********
===============================================================================
Fetch a CIDR from 1Password --------------------------------------------------------------------------------------------------------------------------------------------- 1.47s
Gathering Facts --------------------------------------------------------------------------------------------------------------------------------------------------------- 1.20s
Check version of community.general -------------------------------------------------------------------------------------------------------------------------------------- 0.05s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s
Actual Results
TASK [Fetch a CIDR from 1Password] *********************************************************************************************************************************************
Thursday 20 March 2025 20:03:08 +0000 (0:00:00.027) 0:00:02.367 ********
fatal: [localhost]: FAILED! => {"msg": "b'[ERROR] 2025/03/20 20:03:08 \"SOME_VAULT\" isn\\'t a vault in this account. Specify the vault with its ID or name.\\n'"}
PLAY RECAP *********************************************************************************************************************************************************************
localhost : ok=4 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Thursday 20 March 2025 20:03:08 +0000 (0:00:00.866) 0:00:03.233 ********
===============================================================================
Gathering Facts --------------------------------------------------------------------------------------------------------------------------------------------------------- 2.25s
Fetch a CIDR from 1Password --------------------------------------------------------------------------------------------------------------------------------------------- 0.87s
Check version of community.general -------------------------------------------------------------------------------------------------------------------------------------- 0.05s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03sCode of Conduct
- I agree to follow the Ansible Code of Conduct