Migrate Ansible Projects

1. Set up a 1Password Connect Server

With SecretHub, all integrations connect directly to the SecretHub API. Every time a secret is used, the encrypted data is fetched from the SecretHub servers. In contrast, with 1Password Secrets Automation, you can securely access secrets in your company’s apps and cloud infrastructure using a private REST API provided by a self-hosted 1Password Connect server, which uses 1Password.com as a backend. This means secrets are served to your applications with very low latency and in the rare event that the 1Password.com API is down, your secrets are still served from the Connect server.

Your applications fetch secrets from Connect using any of the integrations or by using the Connect API directly.

Secrets served to your applications via the Connect Server.
Secrets served to your applications via the Connect Server.

Follow the steps to get started with a 1Password Secrets Automation workflow and deploy the Connect server using your credentials. You’ll also get an access token to authenticate Ansible with the REST API.

2. Install the Ansible Collection

Install the 1Password Connect collection for Ansible with the following command:

ansible-galaxy collection install onepassword.connect

3. Create 1Password Items Using Ansible

Use the access token you created when setting up 1Password Secrets Automation to set the OP_CONNECT_TOKEN environment variable and authenticate with the Connect server.

The OP_CONNECT_HOST is also specified in the environment. You’ll need to configure it to point to the hostname or IP address of the Connect server you set up in the first step of this guide. For example localhost:8080 if the Connect server is running in Docker on the same host or <ip>:8080 or <hostname>:8080 if the Connect server is running on another host.

After you set up your Connect server, install the collection, and authenticate Ansible, you can create 1Password items in Ansible. For example:

---
- name: Create 1Password Secret for database credentials
  tasks:
    - onepassword.connect.generic_item:
        vault_id: "qwerty56789asdf"
        title: Database
        state: created
        fields:
          - label: username
            value: db_user
          - label: password
            field_type: concealed
            generate_value: yes
            generator_recipe:
                length: 32
                include_symbols: no
      no_log: true
      register: op_item

For more examples, see the Password Connect collection documentation on GitHub.