Forge Home


Bolt inventory plugin for getting data from 1password


1,445 latest version

5.0 quality score

Version information

  • 0.2.0 (latest)
  • 0.1.0
released May 6th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
  • Puppet >= 5.5.0 < 7.0.0
  • , , , , , , ,
  • get_item

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'sharpie-op_data', '0.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add sharpie-op_data
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install sharpie-op_data --version 0.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



sharpie/op_data — version 0.2.0 May 6th 2020


Unit Tests Acceptance Tests

The op_data module provides a Bolt inventory plugin for fetching data from 1password vaults. This plugin wraps the 1password CLI tool, op, and is designed to support interactive execution of bolt commands from an administrator's workstation.


Setup Requirements

The op_data plugin requires the 1password CLI tool, op, to be installed and available on the $PATH. Mac users can install op via the Homebrew package manager:

brew cask install 1password-cli

Windows users can install op via the Chocolately package manager:

choco install 1password-cli

Direct downloads and instructions for other operating systems can be found at:

Once the CLI is installed, use the op signin command to connect 1password accounts. The domain is used by personal accounts while enterprise accounts typically use a custom domain: <org-name> The op_data plugin supports using data from multiple account domains at once. More information on connecting accounts to the op tool can be found here:

Beginning with op_data

Once the op CLI tool is installed and connected to 1password account(s), the op_data plugin can be used with a Bolt project by adding an entry to the Puppetfile:

mod 'sharpie-op_data', '0.2.0'

Next, the inventory.yaml file can be configured to retrieve values using _plugin: op_data. For example, to make passwords or login credentials available as variables:

    _plugin: op_data
    vault: 'op_data Test Vault'
    id: 'DigitalOcean API Token'
    select: details.password

    _plugin: op_data
    vault: 'Personal'
    id: 'vSphere Credential'
    select: |
      {user: details.fields[?designation == 'username'].value|[0],
       pass: details.fields[?designation == 'password'].value|[0]}

The account parameter is required and specifies which 1password account domain to look data up in. The id parameter is also required and gives the name or UUID of the data item to look up. The vault parameter is optional, accepts a vault name or UUID, and is used to restrict a lookup to a specific vault in a domain. The inventory.yaml file may be configured to look up data from multiple account domains.

The select parameter can be used to extract or re-shape data using JMESPath expressions:

The jp CLI tool is useful for developing select expressions that work against specific 1password records:

eval $(op signin '<account>')

op get item '<id>' [--vault '<vault>'] | jp '<select>'


The op_data plugin looks for 1password account credentials set in OP_SESSION_<account> environment variables and will raise an error if credentials are missing. A typical user session is shown below:

# Sign into 1password accounts (Linux or macOS)
eval $(op signin
eval $(op signin

# Sign into 1password accounts (Windows)
Invoke-Expression $(op signin
Invoke-Expression $(op signin

# Run bolt commands that use 1password data via inventory.yaml
bolt plan run ...

# Sign out of 1password, or close the terminal session
op signout
op signout


  • Session credentials generated by op signin expire after 30 minutes. Keep this time limit in mind when writing long-running plans.