Restrict Access for Command Line Tool [feature request]

Thomas
Thomas
Community Member

I would appreciate to be able when using the 1PW command line utility to give that one only access to certain vault.

Use case: While developing, I'd like to store my individual AWS access key credentials (for ENV vars) in a certain Vault, so I can programmatically fetch them via command line from 1Password. But for security reasons, the CLI tool shouldn't have access to other data like my Google/Apple web signin credentials, etc.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OSX
Sync Type: iCloud
Referrer: forum-search:command line

Comments

  • JohnnySheppardIsode
    JohnnySheppardIsode
    Community Member

    Have you tried using Secrets Automation?: https://support.1password.com/secrets-automation/ It sounds like it would do exactly what you want (although it does mean running a connect server in something like Docker - but it's quite lightweight).

  • Thomas
    Thomas
    Community Member

    I did, but it's far too heavyweight for just a simple command line thing.

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited July 2021

    Hey @Thomas ,

    As @JohnnySheppardIsode mentioned, Secrets Automation does what you are trying to achieve here. The CLI was not meant to manage unique permissions. It just logs into your 1Password account with your credentials and that's about it. The CLI's purpose is to give users the ability to write their own scripts and workflows to read/write/modify data from their 1Password account - not to enforce permissions or policies :)

    Thanks for the feedback and feature request though, I'll pass it on.

  • Thomas
    Thomas
    Community Member

    @ag_yaron Maybe as a last comment to better describe my use-case: the problem is the only the heavy weightness with a docker container to be installed, but also the non-personalization of the vaults when using Secrets Automatization.

    Use-Case: You have an AWS account where every developer has - per company policy - their own AWS API Key Credentials. What I want to do is to avoid that every developer saves those credentials into some file like ~/aws-env.sh which can be easilly grabbed by anyone. I'd rather prefer that an environment variable like AWS_SECRET_ACCOUNT_KEY can be set by a shell command but only if 1Password is unlocked.

    Secrets Automatization is as far as I understand it not suitable for that as I need to create a vault with a key where everybody has access to.

  • Hi @Thomas, with Secrets Automation you can create as many tokens as you'll need. In your use case, each developer could have their own vault containing AWS API key credentials for just them. For each developer, you can issue a connect token with access to just the vault containing the AWS API key credentials for a single developer.

    You can read more about how to issue tokens here: https://support.1password.com/connect-deploy-kubernetes/#appendix-issue-additional-access-tokens.

  • Thomas
    Thomas
    Community Member

    @simon_1P So you don't have a problem when we open 20 vaults just containing one or two items each? Thanks for clarifying, then I'll move forward in that direction.

  • johnnysheppard
    johnnysheppard
    Community Member

    There is a cost implication though isn't there (unless I've misunderstood the costs for credits/tokens). You'll need a credit for each of those API tokens and you only get 3 for free, don't you?

    That may not be a problem, but it's surely something that needs to be considered.

  • @Thomas You are correct. I don't see any problems with creating 20 vaults containing one or two items each.

    @johnnysheppard is correct that the amount of vaults a Connect server has access to does impact Secrets Automation pricing. For 25 vaults you're looking at $29/month. You can find all available tiers here: https://1password.com/secrets/#pricing

This discussion has been closed.