macOS op CLI not returning token

Gudlyf
Gudlyf
Community Member
edited May 2022 in CLI

When using the latest (v2.3.0) 1Password CLI on latest OS X (arm64, using biometric auth), and I run op --signin <vault> --raw, it returns nothing. Without the flag also returns nothing, however subsequent op commands (get item, etc.) work. However, I need the token for use with Terraform, etc.

I've also downgraded to v2.0.0 of the CLI and it all behaves the same.

1Password Version: 8.8.0
Extension Version: Not Provided
OS Version: macOS 12.4

Comments

  • Justin.Yoon_1P
    Justin.Yoon_1P
    edited June 2022

    Hi there @Gudlyf

    This is definitely a bug on our end. From my testing, I have been able to replicate that the --raw flag does not print the session token when used with biometric auth.

    I've filed an issue to fix this.

    I realize that this may be blocking your workflow for the immediate future, so here are some ways to have your Terraform be able to access 1Password secrets:

    1. Temporarily disable the CLI biometric authentication option in the desktop application's developer settings and run the sign in command as such: op signin --force --raw --account ACCOUNT (note: you may have to add the account manually via op account add if it has not been set up before)
    2. Look into using 1Password Connect along with its Terraform operator

    I hope these options can alleviate your issues for now. Thank you for reporting the bug!

  • stuartcampbe11
    stuartcampbe11
    Community Member

    Hi,
    I have just encountered this issue on Linux as well. In the hope that it might have been fixed since June I upgraded to the latest beta versions:

    1password-8.9.7~31.BETA-1.x86_64
    1password-cli-2.8.0-beta.05.x86_64

    Is there any eta on a potential fix ? My use case is that I am using chezmoi (chezmoi.io) to manage my dotfiles. It works when I disable "Connect with 1Password CLI" and returns nothing when this is enabled.

    Many Thanks
    Stu

  • andi.t_1P
    andi.t_1P

    Hi @stuartcampbe11 , from what I can tell, some discussions have been carried out internally over this issue and the developments seem to indicate that we will need to document that the --raw flag does not work with biometric auth. This is because there has been determined that there are no use cases other than being able to share a session to another terminal on a machine. This is not possible anyway, and to that extent we also need to document that the session printed by the --raw flag will only authenticate sessions on the same device.

    Hope this helps,
    Andi

This discussion has been closed.