thanks for building the CLI

rhornsby
rhornsby
Community Member

Was only vaguely aware there was a CLI version of 1P until recently.

Most of the AWS accounts I deal with only require MFA for the web console login, not for api/sdk credentials. A few weeks ago I was given a new account to work with that has MFA turned on for both. I thought it was going to be a huge pain, and it would be easier can we please just turn off MFA for the access_key+secret_key auth?

I started digging into the AWS docs, and looking at how to deal with the OTP that lives in 1P. Obviously, there's no reasonable way to write a useful script, or use tools like Terraform, when faced with an MFA that

  • demanded every time you run your script or do a simple terraform plan
  • can't be reused (ie in the same minute)
  • changes every minute
  • has to be fetched by digging around in a GUI tool (probably unlocking, searching, locating the correct item), copied, then pasted into the shell

Turns out the 1P cli tool is pretty dang easy to work with. It's probably the least complicated part of my aws-mfa-login shell script. It checks for a valid session, gets the TOTP (asks for 1P password), fetches the tokens from AWS and caches them. AWS limits the cached token's validity to 36 hours, but that's more than enough. Next time, just run aws-mfa-login - the only thing needed is to respond to the 1P vault password prompt about once/day. Surprisingly straightforward.

I'm sure the CLI (and Linux versions) only see a tiny fraction of the usage of their desktop counterparts, but dang has the CLI made my job way easier. Hope you guys know the effort is appreciated and hasn't been for nothing.

--

Sidenote: one of the things I learned from this is that your ~/.aws/config will happily store arbitrary key/value pairs. This means you can have your 1P item uuid with the aws credential profile, so that it's available to be given to the 1P CLI in a script automagically.


1Password Version: 1.12.3 CLI
Extension Version: Not Provided
OS Version: macOS 11.5.2

Comments

  • Thank you for sharing your story @rhornsby! It's awesome to hear 1Password CLI is making your workflow easier.

    If there's anything more we can do, please let us know. We'd like to continue to improve the CLI experience and love to hear from our users. Thanks again for sharing your story! 💙

This discussion has been closed.