I was really excited late last year when 1Password announced that they had developed a CLI for their application.  Finally I had the ability to pull out passwords and time-based one time passwords (TOPT) without having to go into the GUI and copy/paste.  As a bonus, they also released a Linux version of the CLI that allowed me to access my secure data from my bastion server.

Last night I was working on creating a new function to pull some data out of 1Password using the CLI and I thought I would share with you a few of the ways that I use the 1Password CLI tool.  You can find information on how to install the 1Password CLI tool and initially log into your 1Password account here.

Logging In

Once logged in to your 1Password account, the session will last for 30 minutes.  Most of the time I really don’t need to have a long running session, but rather just to log in, pull out a password or TOPT, and then log out.  To do that, I have written two little functions to be able to log in and log out quickly.

opon() {
  if [[ -z $OP_SESSION_accountname ]]; then
    eval $(op signin accountname)
  fi
}

opoff() {
  op signout
  unset OP_SESSION_marsdominion
}

The opon command checks to see if the OP_SESSION_accountname (the accountname is the name of the vault that you signed in to) variable is set and if it is not to run the signin command.  The `opoff</code> command signs out of the 1Password and then unsets OP_SESSION_accountname so that an expired session token doesn’t just sit around.

Getting Passwords

The simplest use for the 1Password CLI is for getting passwords from the command line.  This can be especially helpful with a couple of scripts that I have.  I use a function called getpwd that I pass the name of the item I want the password for and then use jq to parse the output to just get the password.

getpwd() {
  opon
  op get item "$1" |jq -r '.details.fields[] |select(.designation=="password").value'
  opoff
}

Then I can use the functions in a script by setting a variable to the output something like MY_PWD=$(getpwd "My Account").  The only caveat to putting it in a script is that you actually have to sign in to 1Password before running the script using the `opon</code> command since you won’t be able to authenticate when creating the variable.

Storing and Using SSH Keys

Another useful function I have is for using SSH Keys.  I keep my primary key on my Yubikey, but I have a number of other keys for various reasons (AWS, GitHub, etc) and not all of them have passwords.  Rather than keep them stored locally, I put them in 1Password and then add them to SSH Agent as I need them.

sshkey() {
  opsignin
  echo "$(op get item "acg-master" |jq -r '.details.notesPlain')"|ssh-add -
  opsignout
}

Once you are done, you can remove the the key using the ssh-add -d $IDENTITY command.

Storing and Using API Tokens

Before the CLI I used to keep a file locally called .bash_secrets that would contain the various API tokens I would need to set for things like GitHub and Vault. While not the securest means of managing them, it was convenient.  The CLI allowed me to get rid of that file and instead I can just add the tokens to their respective entries in 1Password.

For example, in my GitHub entry, I have a section I created called Tokens where I can store the tokens that I have created.  In that section I have an entry called “Personal Laptop”.  Whenever I need to run one of my scripts or something from the command line that require my GIT_TOKEN variable to be set, I can just run gittoken first (or add it to the script) and then I can call the $GIT_TOKEN variable in the shell.

gittoken() {
  opon
  export GIT_TOKEN=$(op get item "GitHub"|jq -r '.details.sections[] | select(.fields).fields[] | select(.t== "Personal Laptop").v')
  opoff
}

Getting Time-based One Time Passwords

One of the first things that I started using the CLI for was to get time-based one time passwords for my AWS accounts for use with my aws-vault functions.  I have updated my setup a little bit since I wrote about it and now use a function to get my TOTPs from 1Password.

getmfa() {
  opon
  op get totp "$1"
  opoff
}

Maybe More?

Those are the four main use cases that I have for the CLI right now.  I have experimented with using it to manage users and vaults and even adding entries, but I don’t see these as something I would be doing a lot from the command line (with the exception of adding SSH certificates, maybe).  I would like to see 1Password add the ability to generate new passwords from the CLI.  That would be helpful in a number of ways.