Vault creation in a pipeline

keram
keram
Community Member

Hello,

I have a pipeline creating a few things. I'd like to add creation of a vault, too. The user I'm using for vault creation has been added to group with permission to create vaults ("Create Vaults") and nothing else.

vault_name="example-vault-name"
session_token="obtained-earlier"
op create vault "$vault_name" --allow-admins-to-manage true --account my-account --session $session_token

This works fine. However, the idea is that the user used in the pipeline should NOT have access to the vault contents. After a while the vault will be populated with sensitive data (access to individual users will be granted later manually) and I'd rather not have access to these.

Any suggestions? I do not want to elevate permissions of the user in the pipeline just to remove its own access to the newly created vault (I assume this would work).

I looked at secrets automation, too. Either I missed it or it's impossible to create vaults there.


1Password Version: 1.11.2
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @keram ,

    If you use the CLI to remove the user that created the vault, I think that should accomplish what you're trying to do.
    It would look similar to this:

    vault_name="example-vault-name"
    session_token="obtained-earlier"
    current_user="user ID or username of user used in pipeline"
    
    vault_id=$(op create vault "$vault_name" --allow-admins-to-manage true --session $session_token | jq -r '.uuid')
    op remove user "$current_user" $vault_id --account my-account --session $session_token
    

    Once the user that created the vault is removed, only the admin and the owner groups would remain with sufficient permissions to view and edit the vault.
    Does that help?

  • keram
    keram
    Community Member

    Hey @ag_yaron ,

    Works like a charm. For some reason I assumed I'd need to elevate this users' permissions to do this operation and did not even try this myself even though I had considered it. Of course it's not the case and the above code solves my problems for now.

    Thank you.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Yaron, you are welcome @keram! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.