Restrict Access for Command Line Tool [feature request]

ThomasThomas Junior Member

I would appreciate to be able when using the 1PW command line utility to give that one only access to certain vault.

Use case: While developing, I'd like to store my individual AWS access key credentials (for ENV vars) in a certain Vault, so I can programmatically fetch them via command line from 1Password. But for security reasons, the CLI tool shouldn't have access to other data like my Google/Apple web signin credentials, etc.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OSX
Sync Type: iCloud
Referrer: forum-search:command line


  • Have you tried using Secrets Automation?: It sounds like it would do exactly what you want (although it does mean running a connect server in something like Docker - but it's quite lightweight).

  • ThomasThomas Junior Member

    I did, but it's far too heavyweight for just a simple command line thing.

  • ag_yaronag_yaron

    Team Member
    edited July 14

    Hey @Thomas ,

    As @JohnnySheppardIsode mentioned, Secrets Automation does what you are trying to achieve here. The CLI was not meant to manage unique permissions. It just logs into your 1Password account with your credentials and that's about it. The CLI's purpose is to give users the ability to write their own scripts and workflows to read/write/modify data from their 1Password account - not to enforce permissions or policies :)

    Thanks for the feedback and feature request though, I'll pass it on.

  • ThomasThomas Junior Member

    @ag_yaron Maybe as a last comment to better describe my use-case: the problem is the only the heavy weightness with a docker container to be installed, but also the non-personalization of the vaults when using Secrets Automatization.

    Use-Case: You have an AWS account where every developer has - per company policy - their own AWS API Key Credentials. What I want to do is to avoid that every developer saves those credentials into some file like ~/ which can be easilly grabbed by anyone. I'd rather prefer that an environment variable like AWS_SECRET_ACCOUNT_KEY can be set by a shell command but only if 1Password is unlocked.

    Secrets Automatization is as far as I understand it not suitable for that as I need to create a vault with a key where everybody has access to.

  • simon_1Psimon_1P

    Team Member

    Hi @Thomas, with Secrets Automation you can create as many tokens as you'll need. In your use case, each developer could have their own vault containing AWS API key credentials for just them. For each developer, you can issue a connect token with access to just the vault containing the AWS API key credentials for a single developer.

    You can read more about how to issue tokens here:

  • ThomasThomas Junior Member

    @simon_1P So you don't have a problem when we open 20 vaults just containing one or two items each? Thanks for clarifying, then I'll move forward in that direction.

  • There is a cost implication though isn't there (unless I've misunderstood the costs for credits/tokens). You'll need a credit for each of those API tokens and you only get 3 for free, don't you?

    That may not be a problem, but it's surely something that needs to be considered.

  • simon_1Psimon_1P

    Team Member

    @Thomas You are correct. I don't see any problems with creating 20 vaults containing one or two items each.

    @johnnysheppard is correct that the amount of vaults a Connect server has access to does impact Secrets Automation pricing. For 25 vaults you're looking at $29/month. You can find all available tiers here:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file