Reuse a session token from environment, not from command line
The op signin
command has an immensely useful functionality:
You can use the `--session` option with the `signin` command to reuse an active token or to test whether a session has expired. This may be useful when writing scripts that use the command-line tool. If the session is active, the tool will use it and return the same token. If the session is expired, you’ll have to sign in again.
However, as Michael pointed out in https://1password.community/discussion/123986/command-line-tool-v1-12-2-op-create-item-template-file-json it is insecure to provide secrets on the command-line. For example, in shared and cloud environments there's a risk of other users seeing the session token through ps
or the token making its way to audit logs.
With that in mind, it would be fantastic if the token reuse functionality was usable with the session token in an environmental variable. I see two possible approaches:
1. Change the default behavior of op signin
(without --session
parameter) to reuse the existing session token by default. Add a new parameter e.g. --new-session
to force a new sign-in.
2. Leave the current default behavior as it is, add a --reuse
parameter to tell the CLI to try reusing the token from env.
Best regards,
Kamil Domański
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
If I understand your question correctly,
op
already does this. E.g., in a bash, zsh, or similar environment, do:$ eval $(op signin)
Then your session token is exported as an environment variable and is reused automatically (until it expires).
I'm suspect there are similar invocations for Windows and other shells.
Cheers,
Zach0 -
@zcutlip is right.
All
op signin
does is print this:export OP_SESSION_<account shorthand>=<session token>
When evaluated, it stores that environment variable for you for next invocations of 1Password CLI commands.
You can find the shorthand of your account using
op signin --list
.PS: You're also right about there being a Windows equivalent, it's
Invoke-Expression $(op signin)
0