Bolt inventory plugin for getting data from 1password

Charlie Sharpsteen



1,189 latest version

5.0 quality score

Version information

  • 0.2.0 (latest)
  • 0.1.0
released May 6th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
  • Puppet >= 5.5.0 < 7.0.0
  • CentOS
  • get_item

Start using this module


sharpie/op_data — version 0.2.0 May 6th 2020


Unit Tests Acceptance Tests

The op_data module provides a Bolt inventory plugin for fetching data from 1password vaults. This plugin wraps the 1password CLI tool, op, and is designed to support interactive execution of bolt commands from an administrator's workstation.


Setup Requirements

The op_data plugin requires the 1password CLI tool, op, to be installed and available on the $PATH. Mac users can install op via the Homebrew package manager:

brew cask install 1password-cli

Windows users can install op via the Chocolately package manager:

choco install 1password-cli

Direct downloads and instructions for other operating systems can be found at:


Once the CLI is installed, use the op signin command to connect 1password accounts. The my.1password.com domain is used by personal accounts while enterprise accounts typically use a custom domain: <org-name>.1password.com. The op_data plugin supports using data from multiple account domains at once. More information on connecting accounts to the op tool can be found here:


Beginning with op_data

Once the op CLI tool is installed and connected to 1password account(s), the op_data plugin can be used with a Bolt project by adding an entry to the Puppetfile:

mod 'sharpie-op_data', '0.2.0'

Next, the inventory.yaml file can be configured to retrieve values using _plugin: op_data. For example, to make passwords or login credentials available as variables:

    _plugin: op_data
    account: my.1password.com
    vault: 'op_data Test Vault'
    id: 'DigitalOcean API Token'
    select: details.password

    _plugin: op_data
    account: example-corp.1password.com
    vault: 'Personal'
    id: 'vSphere Credential'
    select: |
      {user: details.fields[?designation == 'username'].value|[0],
       pass: details.fields[?designation == 'password'].value|[0]}

The account parameter is required and specifies which 1password account domain to look data up in. The id parameter is also required and gives the name or UUID of the data item to look up. The vault parameter is optional, accepts a vault name or UUID, and is used to restrict a lookup to a specific vault in a domain. The inventory.yaml file may be configured to look up data from multiple account domains.

The select parameter can be used to extract or re-shape data using JMESPath expressions:


The jp CLI tool is useful for developing select expressions that work against specific 1password records:

eval $(op signin '<account>')

op get item '<id>' [--vault '<vault>'] | jp '<select>'


The op_data plugin looks for 1password account credentials set in OP_SESSION_<account> environment variables and will raise an error if credentials are missing. A typical user session is shown below:

# Sign into 1password accounts (Linux or macOS)
eval $(op signin my.1password.com)
eval $(op signin example-corp.1password.com)

# Sign into 1password accounts (Windows)
Invoke-Expression $(op signin my.1password.com)
Invoke-Expression $(op signin example-corp.1password.com)

# Run bolt commands that use 1password data via inventory.yaml
bolt plan run ...

# Sign out of 1password, or close the terminal session
op signout my.1password.com
op signout example-corp.1password.com


  • Session credentials generated by op signin expire after 30 minutes. Keep this time limit in mind when writing long-running plans.