Ansible Secrets Management with 1Password

1 minute read

I’m migrating my work code repositories from an on-prem GitLab instance to GitHub as part of an integration project we’re working on. One of the consequences of that is a need to clean up my Ansible plays: With all code hosted within a private LAN, I opted for the convenience of storing certificates and secrets in encrypted vaults which were version controlled with the code that utilized them.

Now that the code repos will be hosted in the cloud, the risk that someone manages to get a hold of one of my repos will of course increase dramatically, and so the vaults must go.

I’ve looked at products like Azure Key Vault and Hashicorp Vault, but again convenience wins out - at least for a while: My team has been using 1Password for several years. I’m not very happy with the macOS version moving from a native app where most of my commonly used operations required very little interaction with the program, to an Electron app that’s a bit more clunky to use in some operations - try duplicating an entry, for example. That said, as a team-supporting secrets manager, it’s a great product that requires practically no training at all to be secure yet useful for inexperienced colleagues.

Up until now, I haven’t really used the 1Password CLI companion utility, but this latest effort gave me a good reason to try. I love it! The way I’ve used it the last few days is simple but effective. An example Bash launcher for a playbook can look something like this:


# Read a secret from 1Password
MYSECRET=`op read "op://myvault/mysecret/password"`

# Use the secret in an Ansible playbook
ansible-playbook foo.yaml -i inventories/prod -e thepassword=$MYSECRET

If ran from a Linux workstation or a Mac where CLI integration into 1Password is enabled, the script will cause a pop-up where you can authenticate with TouchID or your passphrase, and then it will fetch the secret and feed it into the playbook.

I find that I often get a surprising amount of joy from the simple things.