using community.general.onepassword lookup with service_account_token fails to find vault

[cascadia-herda05]

Summary

Onepassword lookup with a service account does not find the vault correctly. However op on the command line does. Also If I run op signin with before running the playbook, I can remvoe the subdomain and serviceaccount fields from the lookup and the playbook succeeds.

-  name: Fetch a CIDR from 1Password
    ansible.builtin.debug:
    msg: "{{ lookup('community.general.onepassword', 'public key',  field='cidr', vault='SOME-VAULT', subdomian='XXXXXXXXXXXXXXXXXX', service_account_token=op_sa_token) }}"

returns

TASK [Fetch a CIDR from 1Password] *********************************************************************************************************************************************
task path: /opt/ansible/playbooks/testing-tasks.yml:125
Thursday 20 March 2025  19:53:47 +0000 (0:00:00.026)       0:00:01.335 ********
fatal: [localhost]: FAILED! => {
    "msg": "b'[ERROR] 2025/03/20 19:53:48 \"SOME_VAULT\" isn\\'t a vault in this account. Specify the vault with its ID or name.\\n'"
}

but once I'm logged in the op utility returns fine:

(.ansible) [XXXXXXXXXXX@XXXXXXXXXX ansible]$ op read op://SOME_VAULT/'public key'/cidr
72.107.215.236/32
(.ansible) [XXXXXXXXXX@XXXXXXXXXXXXX ansible]$

also, now I can adjust the task item to return fine:

    - name: Fetch a CIDR from 1Password
      ansible.builtin.debug:
        msg: "{{ lookup('community.general.onepassword', 'public key',  field='cidr', vault='SOME-VAULT') }}"

Thursday 20 March 2025  20:03:42 +0000 (0:00:00.025)       0:00:01.308 ********
ok: [localhost] => {
    "msg": "72.107.215.236/32"
}

PLAY RECAP *********************************************************************************************************************************************************************
localhost                  : ok=5    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

current op environment:

(.ansible) [XXXXXXX@XXXXXXXXXXXXX ansible]$ op account list
(.ansible) [XXXXXXX@XXXXXXXXXXXXX ansible]$ op whoami
URL:               https://XXXXXXXXXXXXXX.1password.com
Integration ID:    XXXXXXXXXXXXXXXXXXXXXXXXX
User Type:         SERVICE_ACCOUNT

Issue Type

Bug Report

Component Name

community.general.onepassword

Ansible Version

$ ansible --version
ansible [core 2.17.0]
  config file = /opt/ansible/ansible.cfg
  configured module search path = ['/opt/ansible/my_modules']
  ansible python module location = /opt/ansible/.ansible/lib/python3.12/site-packages/ansible
  ansible collection location = /opt/ansible/collections/ansible_collections
  executable location = /opt/ansible/.ansible/bin/ansible
  python version = 3.12.3 (main, Apr 15 2024, 17:09:49) [GCC 6.3.0 20170516] (/opt/ansible/.ansible/bin/python)
  jinja version = 3.1.4
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general

# /opt/ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 10.4.0

Configuration

$ ansible-config dump --only-changed
BECOME_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/become']
CALLBACKS_ENABLED(/opt/ansible/ansible.cfg) = ['profile_tasks']
COLLECTIONS_PATHS(/opt/ansible/ansible.cfg) = ['/opt/ansible/collections/ansible_collections']
CONFIG_FILE() = /opt/ansible/ansible.cfg
DEFAULT_ACTION_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/action']
DEFAULT_ASK_VAULT_PASS(/opt/ansible/ansible.cfg) = False
DEFAULT_CACHE_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/cache']
DEFAULT_CALLBACK_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/callback']
DEFAULT_CONNECTION_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/connection']
DEFAULT_FILTER_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/filter']
DEFAULT_GATHERING(/opt/ansible/ansible.cfg) = smart
DEFAULT_HOST_LIST(/opt/ansible/ansible.cfg) = ['/opt/ansible/inventory/aws_ec2.yml']
DEFAULT_INVENTORY_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/inventory']
DEFAULT_LOCAL_TMP(/opt/ansible/ansible.cfg) = /home/ansadmin/.ansible/tmp/ansible-local-26526098qdpcodj
DEFAULT_LOG_PATH(/opt/ansible/ansible.cfg) = /opt/ansible/log/ansible.log
DEFAULT_LOOKUP_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/lookup']
DEFAULT_MANAGED_STR(/opt/ansible/ansible.cfg) = #Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
DEFAULT_MODULE_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/my_modules']
DEFAULT_MODULE_UTILS_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/my_module_utils']
DEFAULT_PRIVATE_KEY_FILE(/opt/ansible/ansible.cfg) = /home/ansadmin/.ssh/id_ed25519
DEFAULT_REMOTE_USER(/opt/ansible/ansible.cfg) = ansadmin
DEFAULT_ROLES_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/roles']
DEFAULT_STRATEGY_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/strategy']
DEFAULT_TERMINAL_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/terminal']
DEFAULT_TEST_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/test']
DEFAULT_VARS_PLUGIN_PATH(/opt/ansible/ansible.cfg) = ['/opt/ansible/plugins/vars']
DEFAULT_VAULT_PASSWORD_FILE(/opt/ansible/ansible.cfg) = /opt/ansible/.vault.pwd
DEPRECATION_WARNINGS(/opt/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/opt/ansible/ansible.cfg) = auto_silent
INVENTORY_ENABLED(/opt/ansible/ansible.cfg) = ['host_list', 'ini', 'yaml', 'script', 'aws_ec2']
PLUGIN_FILTERS_CFG(/opt/ansible/ansible.cfg) = /opt/ansible/plugin_filters.yml

OS / Environment

Amazon Linux 2023 6.1.94-99.176.amzn2023.aarch64

Steps to Reproduce

---
- name: Testing Playbook
  hosts: "{{ host }}"
  become: true
  remote_user: ansadmin
  become_user: root
  tasks:
    - name: Fetch a CIDR from 1Password
      ansible.builtin.debug:
        msg: "{{ lookup('community.general.onepassword', 'dherrington public key',  field='cidr', vault='SOME_VAULT', subdomain=<1password account>, service_account_token=<very long service account token or var with the token>) }}"  

Expected Results

I expected to see this result from the playbook:

TASK [Fetch a CIDR from 1Password] *********************************************************************************************************************************************
Thursday 20 March 2025  22:05:23 +0000 (0:00:00.027)       0:00:01.319 ********
ok: [localhost] => {
    "msg": "72.107.215.236/32"
}

PLAY RECAP *********************************************************************************************************************************************************************
localhost                  : ok=5    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Thursday 20 March 2025  22:05:25 +0000 (0:00:01.471)       0:00:02.791 ********
===============================================================================
Fetch a CIDR from 1Password --------------------------------------------------------------------------------------------------------------------------------------------- 1.47s
Gathering Facts --------------------------------------------------------------------------------------------------------------------------------------------------------- 1.20s
Check version of community.general -------------------------------------------------------------------------------------------------------------------------------------- 0.05s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s

Actual Results

TASK [Fetch a CIDR from 1Password] *********************************************************************************************************************************************
Thursday 20 March 2025  20:03:08 +0000 (0:00:00.027)       0:00:02.367 ********
fatal: [localhost]: FAILED! => {"msg": "b'[ERROR] 2025/03/20 20:03:08 \"SOME_VAULT\" isn\\'t a vault in this account. Specify the vault with its ID or name.\\n'"}

PLAY RECAP *********************************************************************************************************************************************************************
localhost                  : ok=4    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Thursday 20 March 2025  20:03:08 +0000 (0:00:00.866)       0:00:03.233 ********
===============================================================================
Gathering Facts --------------------------------------------------------------------------------------------------------------------------------------------------------- 2.25s
Fetch a CIDR from 1Password --------------------------------------------------------------------------------------------------------------------------------------------- 0.87s
Check version of community.general -------------------------------------------------------------------------------------------------------------------------------------- 0.05s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s
dump op ----------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/doc_fragments/onepassword.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help