Are you tired of having to manually retrieve your sudo password and enter it into your terminal every time you run an Ansible playbook with ansible_become_user? I was, so I discovered a way to automatically retrieve it from 1Password and use it in Ansible playbooks.

Using the Ansible lookup plugin, you can retrieve the value of a 1Password item and use it in Ansible playbooks. The lookup plugin is a built-in plugin that allows you to retrieve the value of a variable from a file, database, or another external source. In this case, we will be retrieving the value of a 1Password item.

- name: "retrieve password for ITEM"
  debug:
    msg: "{{ lookup('onepassword', 'ITEM') }}"

For more information on the lookup plugin, see the ansible-lookup-plugin.

This allows you to retrieve your sudo password from 1Password without having to manually enter it into your terminal when running ansible-playbook main.yml -K or reading locally from a plan text file or encrypted vault.

Usage

Requirements

  • A 1Password account - If you don’t have a 1Password account, you can sign up for a free account here.

  • The 1Password CLI tool - If you don’t have the 1Password CLI tool, you can download it here.

Create your password item in 1Password and give it a name. In this example, I will be using the name ansible_become_pass. You can name it whatever you want, but you will need to use the same name in your Ansible playbook.

$ op item create --category=password --title="ansible-become-password" --vault="Personal" \
  password="my-super-secret-password"

Note: You can use a different category, but I recommend using the password category. You need to specify the --vault option if you want to store the item in a specific vault. If you don’t specify the --vault option, the item will be stored in the default vault.

Next, you will need to add the lookup plugin as the value for the ansible_become_pass variable in your Ansible playbook. I set mine in the inventory file, but you can also set it in the vars section of your playbook (or a vars file). The lookup plugin will retrieve the value of the 1Password item with the same name as the variable. In this case, it will retrieve the value of the 1Password item named ansible_become_pass.

[all:vars]
ansible_become_pass="{{ lookup('onepassword', 'ansible_become_pass', errors='warn') | d(omit) }}"

That’s it! when running your playbook, Ansible will automatically retrieve the value of the 1Password item and use it as the value for the ansible_become_pass variable. 1Password will prompt you to allow access to the Vault/Item when running the playbook.

$ ansible-playbook -i inventory main.yml