Bolt-op_data

The op_data module provides a Bolt inventory plugin for fetching data from 1password vaults. This plugin wraps the 1password CLI tool, op, and is designed to support interactive execution of bolt commands from an administrator's workstation.

Setup

Setup Requirements

The op_data plugin requires the 1password CLI tool, op, to be installed and available on the $PATH. Mac users can install op via the Homebrew package manager:

brew cask install 1password-cli

Windows users can install op via the Chocolately package manager:

choco install 1password-cli

Direct downloads and instructions for other operating systems can be found at:

https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool

Once the CLI is installed, use the op signin command to connect 1password accounts. The my.1password.com domain is used by personal accounts while enterprise accounts typically use a custom domain: <org-name>.1password.com. The op_data plugin supports using data from multiple account domains at once. More information on connecting accounts to the op tool can be found here:

https://support.1password.com/command-line/#appendix-session-management

Beginning with op_data

Once the op CLI tool is installed and connected to 1password account(s), the op_data plugin can be used with a Bolt project by adding an entry to the Puppetfile:

mod 'sharpie-op_data', '0.2.0'

Next, the inventory.yaml file can be configured to retrieve values using _plugin: op_data. For example, to make passwords or login credentials available as variables:

vars:
  do_token:
    _plugin: op_data
    account: my.1password.com
    vault: 'op_data Test Vault'
    id: 'DigitalOcean API Token'
    select: details.password

  vsphere_login:
    _plugin: op_data
    account: example-corp.1password.com
    vault: 'Personal'
    id: 'vSphere Credential'
    select: |
      {user: details.fields[?designation == 'username'].value|[0],
       pass: details.fields[?designation == 'password'].value|[0]}

The account parameter is required and specifies which 1password account domain to look data up in. The id parameter is also required and gives the name or UUID of the data item to look up. The vault parameter is optional, accepts a vault name or UUID, and is used to restrict a lookup to a specific vault in a domain. The inventory.yaml file may be configured to look up data from multiple account domains.

The select parameter can be used to extract or re-shape data using JMESPath expressions:

https://jmespath.org/tutorial.html

The jp CLI tool is useful for developing select expressions that work against specific 1password records:

eval $(op signin '<account>')

op get item '<id>' [--vault '<vault>'] | jp '<select>'

Usage

The op_data plugin looks for 1password account credentials set in OP_SESSION_<account> environment variables and will raise an error if credentials are missing. A typical user session is shown below:

# Sign into 1password accounts (Linux or macOS)
eval $(op signin my.1password.com)
eval $(op signin example-corp.1password.com)

# Sign into 1password accounts (Windows)
Invoke-Expression $(op signin my.1password.com)
Invoke-Expression $(op signin example-corp.1password.com)

# Run bolt commands that use 1password data via inventory.yaml
bolt plan run ...

# Sign out of 1password, or close the terminal session
op signout my.1password.com
op signout example-corp.1password.com

Limitations

• Session credentials generated by op signin expire after 30 minutes. Keep this time limit in mind when writing long-running plans.

Changelog

All notable changes to this project will be documented in this file.

Release 0.2.0 - 2020-05-06

Summary

Backwards compatible feature release of the op_data module.

Features

• Windows is now supported.

• Acceptance test coverage for Windows, Linux, and macOS.

Release 0.1.0 - 2020-05-04

Summary

Initial release of the op_data module.

Features

• Bolt inventory plugin that allows data to be retrieved from 1password accounts.

• Support for using JMESPath expressions to select or re-shape 1password data.