Vault creation in a pipeline
Hello,
I have a pipeline creating a few things. I'd like to add creation of a vault, too. The user I'm using for vault creation has been added to group with permission to create vaults ("Create Vaults") and nothing else.
vault_name="example-vault-name" session_token="obtained-earlier" op create vault "$vault_name" --allow-admins-to-manage true --account my-account --session $session_token
This works fine. However, the idea is that the user used in the pipeline should NOT have access to the vault contents. After a while the vault will be populated with sensitive data (access to individual users will be granted later manually) and I'd rather not have access to these.
Any suggestions? I do not want to elevate permissions of the user in the pipeline just to remove its own access to the newly created vault (I assume this would work).
I looked at secrets automation, too. Either I missed it or it's impossible to create vaults there.
1Password Version: 1.11.2
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @keram ,
If you use the CLI to remove the user that created the vault, I think that should accomplish what you're trying to do.
It would look similar to this:vault_name="example-vault-name" session_token="obtained-earlier" current_user="user ID or username of user used in pipeline" vault_id=$(op create vault "$vault_name" --allow-admins-to-manage true --session $session_token | jq -r '.uuid') op remove user "$current_user" $vault_id --account my-account --session $session_token
Once the user that created the vault is removed, only the admin and the owner groups would remain with sufficient permissions to view and edit the vault.
Does that help?0 -
Hey @ag_yaron ,
Works like a charm. For some reason I assumed I'd need to elevate this users' permissions to do this operation and did not even try this myself even though I had considered it. Of course it's not the case and the above code solves my problems for now.
Thank you.
0