mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
ddf6b13f18
🔐 Load `OP_SERVICE_ACCOUNT_TOKEN` from ENVs (#7721)
* 🔐 Load `OP_SERVICE_ACCOUNT_TOKEN` from ENVs
* 🚚 Move configuration to `doc_fragments`
* 📝 Add `env` to documentation
* Revert change
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 1fdbb50abb
)
Co-authored-by: Dov Benyomin Sohacheski <b@kloud.email>
79 lines
3 KiB
Python
79 lines
3 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright (c) 2023, Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
|
|
class ModuleDocFragment(object):
|
|
DOCUMENTATION = r'''
|
|
requirements:
|
|
- See U(https://support.1password.com/command-line/)
|
|
options:
|
|
master_password:
|
|
description: The password used to unlock the specified vault.
|
|
aliases: ['vault_password']
|
|
type: str
|
|
section:
|
|
description: Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section.
|
|
domain:
|
|
description: Domain of 1Password.
|
|
default: '1password.com'
|
|
type: str
|
|
subdomain:
|
|
description: The 1Password subdomain to authenticate against.
|
|
type: str
|
|
account_id:
|
|
description: The account ID to target.
|
|
type: str
|
|
username:
|
|
description: The username used to sign in.
|
|
type: str
|
|
secret_key:
|
|
description: The secret key used when performing an initial sign in.
|
|
type: str
|
|
service_account_token:
|
|
description:
|
|
- The access key for a service account.
|
|
- Only works with 1Password CLI version 2 or later.
|
|
type: str
|
|
vault:
|
|
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
|
|
type: str
|
|
connect_host:
|
|
description: The host for 1Password Connect. Must be used in combination with O(connect_token).
|
|
type: str
|
|
env:
|
|
- name: OP_CONNECT_HOST
|
|
version_added: 8.1.0
|
|
connect_token:
|
|
description: The token for 1Password Connect. Must be used in combination with O(connect_host).
|
|
type: str
|
|
env:
|
|
- name: OP_CONNECT_TOKEN
|
|
version_added: 8.1.0
|
|
'''
|
|
|
|
LOOKUP = r'''
|
|
options:
|
|
service_account_token:
|
|
env:
|
|
- name: OP_SERVICE_ACCOUNT_TOKEN
|
|
version_added: 8.2.0
|
|
notes:
|
|
- This lookup will use an existing 1Password session if one exists. If not, and you have already
|
|
performed an initial sign in (meaning C(~/.op/config), C(~/.config/op/config) or C(~/.config/.op/config) exists), then only the
|
|
O(master_password) is required. You may optionally specify O(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
|
|
- This lookup can perform an initial login by providing O(subdomain), O(username), O(secret_key), and O(master_password).
|
|
- Can target a specific account by providing the O(account_id).
|
|
- Due to the B(very) sensitive nature of these credentials, it is B(highly) recommended that you only pass in the minimal credentials
|
|
needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength
|
|
to the 1Password master password.
|
|
- This lookup stores potentially sensitive data from 1Password as Ansible facts.
|
|
Facts are subject to caching if enabled, which means this data could be stored in clear text
|
|
on disk or in a database.
|
|
- Tested with C(op) version 2.7.2.
|
|
'''
|