Install command: brew install -cask 1password-cli. Create a 1Password item to hold your AWS credentials. Use two custom fields to store the Access Key Id and Secret Access Key. In this example, the fields are named awsaccesskeyidand awssecretaccesskey. Participate in discussions with other Treehouse members and learn.
August 27, 2020
$ brew cask install 1password-cli $ brew install jq expect Copy the 1pass executable file to a suitable location on your PATH (for example, /usr/local/bin) and ensure that it is executable. Brew search Example Applications Quick Look plugins. These plugins add support for the corresponding file type to Mac Quick Look (In Finder, mark a file and press Space to start Quick Look). The plugins includes features like syntax highlighting, Markdown rendering, preview of JSON, patch files, CSV, ZIP files and more.
Did you know 1Password has a CLI tool? Password management and automationdo not like each much. If I want automation then I cannot requireuser input. If I need a password then I should not store that inmy automation.
1Password CLI helps us track all our passwords, but there is stilla bootstrapping problem of authenticating against 1Password itself.
Let us explore a possible solution below.
Installing 1Password CLI
First, we need to download and installing 1Password. We will want this running within our production setup as well as locally.
For me, that means getting things running on Mac OSX (Debian) and Ubuntu. For the scripts below make sure to cd
into where you want 1password installed). I will be using ~/.bin/1password
on my Mac, and /opt/1password
on Ubuntu.
Installing Go
The 1Password CLI runs on golang and you can find yourdownload version here. It is also available via Brew with brew install golang
.
Before proceeding, make sure go
is installed correctly.
Installing on a Mac OS X
For Mac, we run the following
If correctly installed the CLI tool and op
is on your your $PATH
, then you should see the right version of 1password installed.
Installing on Ubuntu (Linux)
On Linux (tested on Ubuntu 20.04), we run the following
You should also verify the file you just downloaded using gpg
as shown below
If you get an error about when verifying the keys, consider changing your keyserver as shown below.
As with Mac OSX, if correctly installed the CLI tool and op
is on your your $PATH
, then you should see the right version of 1password installed.
Running 1Password CLI
Before we try to automate password management with the CLI, first make sure you use the tool directly. Read the introduction from 1Password for way more details
Let's confirm you can sign-in, please use your own credentials :-)
The output will prompt you for your Secret Key
and your Password
.
You can find most of information in the Preferences
of the 1Password GUI.
One password will then give you a 30-minute token
Using that token, we can now make secure calls to our 1Password vault. Here is an example of listing out our vaults.
If everything worked as expected your output should look similar to
If something went wrong (e.g. you copy the fake token above), then you might get an error like.
Bootstrap 1Password Session with Expect
Once we have the session token, our automate scripts can work person-free for 30-minutes (yipee), but it is still a bit arduous generate and will need documentation (like this article) to accompany your automation scripts.
Let's explore how we could automate session generation using expect. Let's create a script called opsession
(and make it executable chmod 700 opsession
).
You will need to change the following
Field | Description |
---|---|
my from my.1password.com | Your organization name with 1Password |
aforward@hey.com | Your email |
AB-CD-EF | Your Secret Key |
nicetry | Your global 1password password |
If we run our script
It should output a valid token like
We can now use that script directly against an op
opeation like
Or, we could store the OP_SESSION
and re-use it
Split opsession generation from op usage
The script above is not safe, as it contains the very 1passwordthat you were sworn to protect.
In the diagram below we show how we can isolate the safety of opsession
from its usage (and ultimate destruction).
In the above,
A. An administrator / keeper of keys can generate an opsessionlocally.
B. The admin can securely transfer opsession
to the appropriatebuild environment.
C. All your build scripts can now securetly interact with op
withoutever having to ask a real person for a secret.
D. When the build script is done, you can delete your opsession
completely removing any trace of those very secret secrets.
A major benefit to the above is that once opsession
is seeded intoyour (secure) build environment then you can completely automateall your secret needs.
Brew 1password Reviews
Warning, Warning, Protect that opsession
After some conversations with a colleague Tom, he raised concernsabout possibly being careless with the opsession
file and accidentiallyexposing to our 1password account.
Indeed, we are trading increased levels of automation with increasedsecurity exposure as our opsession
does contain all the necessary ingredients toaccess your 1password account. For small teams (or solo-preneurs) that's fine,but within an organization the exposure from carelessness is not worth it.
Brew 1password 6
To avoid sharing that information directly you can instead justshare the 30-minute token as discussed here.By just sharing the token, your build server is now
Installing on Ubuntu (Linux)
On Linux (tested on Ubuntu 20.04), we run the following
You should also verify the file you just downloaded using gpg
as shown below
If you get an error about when verifying the keys, consider changing your keyserver as shown below.
As with Mac OSX, if correctly installed the CLI tool and op
is on your your $PATH
, then you should see the right version of 1password installed.
Running 1Password CLI
Before we try to automate password management with the CLI, first make sure you use the tool directly. Read the introduction from 1Password for way more details
Let's confirm you can sign-in, please use your own credentials :-)
The output will prompt you for your Secret Key
and your Password
.
You can find most of information in the Preferences
of the 1Password GUI.
One password will then give you a 30-minute token
Using that token, we can now make secure calls to our 1Password vault. Here is an example of listing out our vaults.
If everything worked as expected your output should look similar to
If something went wrong (e.g. you copy the fake token above), then you might get an error like.
Bootstrap 1Password Session with Expect
Once we have the session token, our automate scripts can work person-free for 30-minutes (yipee), but it is still a bit arduous generate and will need documentation (like this article) to accompany your automation scripts.
Let's explore how we could automate session generation using expect. Let's create a script called opsession
(and make it executable chmod 700 opsession
).
You will need to change the following
Field | Description |
---|---|
my from my.1password.com | Your organization name with 1Password |
aforward@hey.com | Your email |
AB-CD-EF | Your Secret Key |
nicetry | Your global 1password password |
If we run our script
It should output a valid token like
We can now use that script directly against an op
opeation like
Or, we could store the OP_SESSION
and re-use it
Split opsession generation from op usage
The script above is not safe, as it contains the very 1passwordthat you were sworn to protect.
In the diagram below we show how we can isolate the safety of opsession
from its usage (and ultimate destruction).
In the above,
A. An administrator / keeper of keys can generate an opsessionlocally.
B. The admin can securely transfer opsession
to the appropriatebuild environment.
C. All your build scripts can now securetly interact with op
withoutever having to ask a real person for a secret.
D. When the build script is done, you can delete your opsession
completely removing any trace of those very secret secrets.
A major benefit to the above is that once opsession
is seeded intoyour (secure) build environment then you can completely automateall your secret needs.
Brew 1password Reviews
Warning, Warning, Protect that opsession
After some conversations with a colleague Tom, he raised concernsabout possibly being careless with the opsession
file and accidentiallyexposing to our 1password account.
Indeed, we are trading increased levels of automation with increasedsecurity exposure as our opsession
does contain all the necessary ingredients toaccess your 1password account. For small teams (or solo-preneurs) that's fine,but within an organization the exposure from carelessness is not worth it.
Brew 1password 6
To avoid sharing that information directly you can instead justshare the 30-minute token as discussed here.By just sharing the token, your build server is now
Brew 1password App
Code Generator for opsession
Let's take our automation one step further, and securely genreatethat opsession file for you.
We use read -p
to collect information from admin
userabout their 1password setup, and can even mask the password using read -s -p
.We make this file only access to the current user with chmod 700 opsession
.
Brew 1password Extension
And here we are, a few additional scripts later but we now have a relatively straight forward way to automate our scripts but also have some great security around not sharing passwords within those scripts (or repositories).