1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/doc_fragments/onepassword.py
patchback[bot] ddf6b13f18
[PR #7721/1fdbb50a backport][stable-8] 🔐 Load OP_SERVICE_ACCOUNT_TOKEN from ENVs (#7757)
🔐 Load `OP_SERVICE_ACCOUNT_TOKEN` from ENVs (#7721)

* 🔐 Load `OP_SERVICE_ACCOUNT_TOKEN` from ENVs

* 🚚 Move configuration to `doc_fragments`

* 📝 Add `env` to documentation

* Revert change

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 1fdbb50abb)

Co-authored-by: Dov Benyomin Sohacheski <b@kloud.email>
2023-12-21 23:11:46 +01:00

79 lines
3 KiB
Python

# -*- coding: utf-8 -*-
# Copyright (c) 2023, Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
class ModuleDocFragment(object):
DOCUMENTATION = r'''
requirements:
- See U(https://support.1password.com/command-line/)
options:
master_password:
description: The password used to unlock the specified vault.
aliases: ['vault_password']
type: str
section:
description: Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section.
domain:
description: Domain of 1Password.
default: '1password.com'
type: str
subdomain:
description: The 1Password subdomain to authenticate against.
type: str
account_id:
description: The account ID to target.
type: str
username:
description: The username used to sign in.
type: str
secret_key:
description: The secret key used when performing an initial sign in.
type: str
service_account_token:
description:
- The access key for a service account.
- Only works with 1Password CLI version 2 or later.
type: str
vault:
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
type: str
connect_host:
description: The host for 1Password Connect. Must be used in combination with O(connect_token).
type: str
env:
- name: OP_CONNECT_HOST
version_added: 8.1.0
connect_token:
description: The token for 1Password Connect. Must be used in combination with O(connect_host).
type: str
env:
- name: OP_CONNECT_TOKEN
version_added: 8.1.0
'''
LOOKUP = r'''
options:
service_account_token:
env:
- name: OP_SERVICE_ACCOUNT_TOKEN
version_added: 8.2.0
notes:
- This lookup will use an existing 1Password session if one exists. If not, and you have already
performed an initial sign in (meaning C(~/.op/config), C(~/.config/op/config) or C(~/.config/.op/config) exists), then only the
O(master_password) is required. You may optionally specify O(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
- This lookup can perform an initial login by providing O(subdomain), O(username), O(secret_key), and O(master_password).
- Can target a specific account by providing the O(account_id).
- Due to the B(very) sensitive nature of these credentials, it is B(highly) recommended that you only pass in the minimal credentials
needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength
to the 1Password master password.
- This lookup stores potentially sensitive data from 1Password as Ansible facts.
Facts are subject to caching if enabled, which means this data could be stored in clear text
on disk or in a database.
- Tested with C(op) version 2.7.2.
'''