Possible to pass CLI on vm through to host?
Wondering if it's possible, been attempted, or known to not be possible at all, to somehow connect the CLI running in a vm or container to the host system. Specific use cases I'm thinking of are Linux nodes running on Windows via WSL1/2, and Docker dev containers running on any flavor of hosts. My thinking is that I'd like to not have to fully authorize these ephemeral systems, but instead install the CLI and have it benefit from the installation on my host OS, potentially including biometric security.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hey @CHasenpflug1 ,
I have personally tested
oprunning on Linux-based containers. We have repos on APK, Apt, and Yum that can be used to installopon them as well. If you are interested, please take a look at our installation guide, if you haven't done so already.https://developer.1password.com/docs/cli/get-started#install
0 -
Installing op into the container is not a problem. However, it seems as though I have to authenticate the container to my account.
op vault lsasks me to manually add my account. Rather, I would like to be able to pass the CLI running in the container to the instance running on the host. Have I missed something in the installation steps that makes this possible?0 -
Hey again @CHasenpflug1 ,
Apologies, I missed a critical part of your question.
There is no such way to do so at the moment, but we are working on service account access tokens for use in non-automated environments that may fit your use case.
Alternatively, you could look into setting up a Connect server and accessing it via
opusing tokens.As a last resort, there is a way to authenticate to
opthat can be "scripted" in a non-interactive way, but I do not suggest it as it is a security risk.The
op account addandop signincommands can accept the password piped via stdin. For exampe:eval $(echo "$PASSWORD" | op account add --email "$EMAIL" --address "$SIGNIN_ADDRESS" --secret-key "$SECRET_KEY"While this method can work, it can expose the password to any processes that are monitoring other processes being initialized.
0 -
Thanks, Justin. I figured Connect may be the route I have to go. My hope was to be able to mount a socket on the child instance, similar to how Docker in Docker would work, such that the vm/container has a client interacting with the host over that socket. Passing ssh agent to a dev container is another example where we're able to interact between container/host processes. Similar process communications for
opwould open possibilities.0 -
Thank you for your feedback, @CHasenpflug1!
I'll make sure that it all gets filed with an internal issue, for further investigation.
We'll update this thread whenever we have updates on these fronts (including service accounts, which may be an amelioration, for your use-case).
Looking forward to hearing any other feedback that you may have!Best,
Horia0 -
Hi @CHasenpflug1 ,
I'm Sadia, a Product Manager at 1Password, and have some news that may be interesting to you. I am looking for some developers and administrators that would be interested in chatting with me about a new feature our team has been working on: Service Accounts. Earlier this year, we introduced the CLI 2.0, where users can use “run” and “inject” commands to substitute secret references for secrets stored in 1Password vaults. With our new Service Account capabilities, organizations can use a separate non-user account to control and manage access to secrets without deploying additional services like Connect.
We are currently building out service accounts and want to understand your pain-points and experiences with secrets management, and gather some feedback, so we could deliver the best product for our customers.
If you are interested, please feel free to reach out to me at sadia.azmal@agilebits.com or sign-up for a 30 minute slot on Calendly. I look forward to hearing from you :)
0 -
I'm keen to chat @Sadia.Azmal_1P , but unfortunately all your slots are between 3am - 6:30am.
My timezone is GMT+10 as I'm in Australia - do you have anything that could work for that?0
