Tooling to expose 1Password entries as environment variables for specific commands

Options
balupton
balupton
Community Member
in CLI

The Dorothy dotfile ecosystem provides a secret command, which interfaces with the 1Password CLI, to do such things as secret get and sercret env -- command to grab your secrets only when they are needed, and expose them only to the command that needs it. This is much more secure than exposing your secrets to your environment, which is commonly sent to a server when malicious software runs.

I use it all the time, relevant links:

My .dorothy/user/secrets/secrets.json file looks like so:

{
  "DISCOURSE_BEVRY_SERVER": ["personal", "bevry discourse", "server"],
  "DISCOURSE_BEVRY_ROOT": ["personal", "bevry discourse", "root"],
  "DISCOURSE_BEVRY_SSH": ["personal", "ssh keys", "bevry discourse"],
  "SCALEWAY_SSH": ["personal", "ssh keys", "scaleway"]
}

Which I use like so:

secret get DISCOURSE_BEVRY_ROOT DISCOURSE_BEVRY_SSH SCALEWAY_SSH
secret env DISCOURSE_BEVRY_SERVER -- ssh 'root@$DISCOURSE_BEVRY_SERVER'

You can create your own configuration file by writing .dorothy/user/secrets/secrets.json directly, or by using:

secret map <environment variable name> <vault name> <item name> <field name>
# e.g. for my configuration file earlier, I would configure the database like so
secret map DISCOURSE_BEVRY_SERVER personal 'bevry discourse' server
secret map DISCOURSE_BEVRY_ROOT personal 'bevry discourse' root
secret map DISCOURSE_BEVRY_SSH personal 'ssh keys' 'bevry discourse'
secret map SCALEWAY_SSH personal 'ssh keys' scaleway

You may be able to trial it standalone (without setting up Dorothy) by running:

bash --rcfile <(curl -fsSL https://dorothy.bevry.workers.dev)
secret ...

Let me know your thoughts and suggestions.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Michael_1P
    Michael_1P
    Options

    Hey @balupton, this looks like a really neat way to limit access and exposure to your secrets!

    Thanks for sharing! I hope that people from the community find this interesting and helpful.

This discussion has been closed.