Can I use CLI 2.0 on external machines (like Raspberry Pi)?
Is it already possible to use op on external machines (instead of your development Mac/PC)?
If not, do you have a roadmap for that?
I'd love to use the 1Password CLI instead of dotenv for (Node.js based) services running on my Raspberry Pi!
1Password Version: 1Password CLI 2.0.0
Extension Version: n/a
OS Version: Raspberry Pi OS
Comments
-
Does it support the arm build?
0 -
PS: forgot to mention that I run these machine headless and I use SSH (and the 1Password SSH agent) to access them.
0 -
Hey @XIII ,
opwill run on Raspberry Pi! You can install them over ssh with the curl and mv commands. If you need an example, we have a 1 liner script at the bottom of the linux .zip section in the installation docs!Hey @MatthewPackwoodJR,
Yes the arm build should work but please do not hesitate to let us know here if you run into any issues.
0 -
op will run on Raspberry Pi! You can install them over ssh with the curl and mv commands
Planning to experiment with that.
But what about signing in?
It's a headless Pi with no Biometric unlock. Do I need Secret Automation or is that overkill for what I want?
(run Node.js scripts from
systemsservices)0 -
You can still sign in using a terminal "the old way" by entering your sign-in address and credentials, check out this guide on how to use
op account addandop signin --account ACCOUNT.Hope this fits your use case, but if not, let us know. Connect (Secrets Automation) may just be the way to go in that case.
0 -
It works when manually signing in and then executing a Node.js script, on the command line (which is nice!), but (as expected) not when running the script as a service.
So I'm afraid I have to dive in to Connect...
0 -
I read the documentation earlier today and was super confused, but I seem to have it running as a "proof of concept".
Never used Docker on my Pi before, so I have some things to investigate (like how to automatically start the 1Password containers at boot).
Some 1Password Connect specific questions (if I may post them here):
- Should the
1password-credentials.jsonfile be permanently saved on my Pi, because it is used in the YAML template? - Is this safe?
- I'm confused about the pricing: does 1 token for 1 vault count as 1 of the 3 free credits? (I subscribe to 1Password for Families)
- What's the best practice for storing the Automation Access Token on the Pi?
0 - Should the
-
It works when manually signing in and then executing a Node.js script, on the command line (which is nice!), but (as expected) not when running the script as a service.
Before you dive in to Connect, note that it is possible to "script" a manual signin command non-interactively as well.
Once the account has already been has manually added to the device via
op account add, then:eval $(echo <password> | op signin --account <shorthand>)would work.0 -
Once the account has already been has manually added to the device via op account add, then: eval $(echo | op signin --account ) would work.
Maybe I misunderstand, but wouldn't that defeat the entire purpose?
Instead of the password of one specific service I would now have to store the key to my kingdom (1Password master password) on the Pi?
Additionally I like the fact that I can limit access to a very small subset of credentials when using Connect. And it is fun to learn more about this too...
Can you please answer my previous questions?
0 -
Maybe I misunderstand, but wouldn't that defeat the entire purpose?
You are right, and this is the reason why we don't endorse this method of signing in.
Can you please answer my previous questions?
Absolutely, I actually pinged some colleagues that are more familiar with Connect to help answer those earlier so please hang tight!
0 -
Hey @XIII ,
Just following up with the answers to your original questions about Connect:
Should the 1password-credentials.json file be permanently saved on my Pi, because it is used in the YAML template?
1password-credentials.json with the standard docker-compose file, should always be there, because it is mounted as a volume. Alternatively, you could copy the file in the containers, instead of mounting it as a volume, and then you'd only need it when starting up Connect.
Is this safe?
I think this doc about Connect security can answer this one.
I'm confused about the pricing: does 1 token for 1 vault count as 1 of the 3 free credits? (I subscribe to 1Password for Families)
The credits represent the number of vaults that are accessed with Secrets Automation.
Here are a couple of examples:- 3 access tokens that access 1 vault -> 1 credit
- 3 access tokens, 1 for vault A, 2 for vault B -> 2 credits
- 3 access tokens for 3 different vaults -> 3 credits
- 1 access token that can access 3 vaults -> 3 credits
- 2 access tokens, 1 can access vaults A and B, 1 only vault B -> 2 credits
- 2 access tokens, 1 can access vaults A and B, 1 vaults B and C -> 3 credits
What's the best practice for storing the Automation Access Token on the Pi?
I personally always store them as environment variables, only within the session where I make Connect requests (i.e. I never put it in my profile, to have it exported globally). However, I don't think we have ever given exact guidelines towards good practices here, and I've always only used Connect for testing purposes, so ymmv.
0 -
Thank you! I'm going to experiment a bit more... Fun stuff!
0 -
Hey @XIII
My initial statement about Connect credits was incorrect, and I just wanted to make a correction.
I'm confused about the pricing: does 1 token for 1 vault count as 1 of the 3 free credits? (I subscribe to 1Password for Families)
This is based on the total number of vaults that all active tokens have access to.
This means that multiple tokens that access the same vault add up, which in my previous statement was not the case.
So here's my correction of the examples I provided:- 3 access tokens that access 1 vault -> 1 credit 3 credits
- 3 access tokens, 1 for vault A, 2 for vault B -> 2 credits 3 credits
- 3 access tokens for 3 different vaults -> 3 credits
- 1 access token that can access 3 vaults -> 3 credits
- 2 access tokens, 1 can access vaults A and B, 1 only vault B -> 2 credits 3 credits
- 2 access tokens, 1 can access vaults A and B, 1 vaults B and C -> 3 credits 4 credits
0 -
Luckily I only tried 2 tokens for 1 vault so far, so no charges yet.
Was hoping I could eventually use a unique token for every device (using a single vault), but that's no longer possible with this correction... 😢 (having more than 3 devices)
0 -
Glad this got sorted out! Is there anything else we can help with here, XIII?
0 -
Not specific to this topic…
(See other posts)
0 -
I think we're (almost) all caught up, haha! Please do let us know if you require our attention on any particular topic out of those that you have opened.
Best,
Horia0
