Forum Discussion

balajidutt's avatar
balajidutt
New Contributor
2 years ago

CLI command fails when run with Ansible playbook

Hello,

I'm struggling to try and get an Ansible playbook that updates a Password in my 1Password vault. Here is the simplified playbook:

```
- name: Configuration of the Bootstrap server
hosts: host1
vars:
onepass_item: FreeIPA (Admin)
onepass_file: /tmp/Item.json

tasks:
- name: Verify that 1Password CLI is available on Controller node.
ansible.builtin.stat:
path: "/usr/bin/op"
delegate_to: localhost
register: onepass_cli

- name: Verify that 1Password CLI is available on Controller node.
  ansible.builtin.assert:
    that:
      - onepass_cli.stat.exists
    fail_msg: "1Password CLI could not be found"
  delegate_to: localhost

- name: Verify that 1Password CLI is connected to a 1Password Vault on the Controller node.
  ansible.builtin.shell:
    cmd: "/usr/bin/op item get \"{{ onepass_item }}\" --fields username"
  delegate_to: localhost
  register: onepass_cli_output
  failed_when: onepass_cli_output.rc != 0
  changed_when: onepass_cli_output.rc != 0

- name: Generate a new random password for the FreeIPA Admin User
  ansible.builtin.set_fact:
    refresh_ipa_admin_password: "{{ lookup('ansible.builtin.password', '/dev/null length=20 chars=ascii_letters,digits') }}"
  no_log: true

- name: Download the item in the 1Password Vault to a JSON file.
  ansible.builtin.shell:
    cmd: "/usr/bin/op item get \"{{ onepass_item }}\" --format json > {{ onepass_file }}"
  delegate_to: localhost
  register: onepass_cli_output
  failed_when: onepass_cli_output.rc != 0
  changed_when: onepass_cli_output.rc != 0

- name: Modify JSON file
  ansible.builtin.shell:
    cmd: jq '.fields |= map(if .id == "password" then .value = "{{ refresh_ipa_admin_password }}" else . end)' {{ onepass_file }} > /tmp/Item_modified.json && mv /tmp/Item_modified.json {{ onepass_file }}
  delegate_to: localhost
  register: result
  changed_when: result.rc != 0

- name: Update the 1Password Vault entry for login via UI
  ansible.builtin.shell:
    cmd: "/usr/bin/op item edit \"{{ onepass_item }}\" --template={{ onepass_file }}"
  delegate_to: localhost

```

The final step Update the 1Password Vault entry for login via UI fails with the error

"stderr": "[ERROR] 2024/01/13 16:19:20 cannot edit an item from template and stdin at the same time",

However, when I run the command /usr/bin/op item edit "FreeIPA (Admin)" --template=/tmp/Item.json from a interactive shell the command runs correctly.

I'm using 1Password CLI 2.24.0.

I'm not able to figure out why this is not working when run with Ansible. Any help would be very welcome!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

CLI

1 Reply

  • balajidutt's avatar
    balajidutt
    New Contributor
    2 years ago

    I pinged this thread to the 1Password Support account on X/Twitter who suggested I raise a Support ticket.

    I got a suggestion on how to fix this, which required some fiddling with the syntax but in the end the following ansible step works as expected:

    shell
    - name: Update the 1Password Vault entry using the JSON file for login via UI
    ansible.builtin.shell:
    args:
    cmd: "cat {{ onepass_file }} | /usr/bin/op item edit \"{{ onepass_item }}\""
    executable: /bin/bash
    delegate_to: localhost

    Yes you can gnash your teeth about the UUOC here but hey it works and this is code for my homelab, and working code is all I need :-)