How-to configure AWS config credential_process + op?

Community Member

In CLIv1 I was able to use something like:

[profile default]
credential_process = sh -c "op --account kramer get item 'AWS Production' | jq '.details.sections[2].fields | map({(.t):.}) |  add | {Version:1, AccessKeyId:.aws_access_key_id.v, SecretAccessKey:.aws_secret_access_key.v}'"

I can't seem to figure out the v2 version of that or how to use credential_process to retrieve credentials.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided


  • Hey @yodakramer ! Thank you for reaching out to us.

    To zoom out a little, can you please let us know what the structure of your item is (with the sensitive values redacted, of course) and what the desired structure of the credential_process should be?

    Looking forward to hearing from you.


  • yodakrameryodakramer
    Community Member

    Thanks. I have used the examples from this blog post, Storing AWS CLI Credentials in 1Password.

    The output from op looks like this:

      "Version": 1,
      "AccessKeyId": "MYKEY",
      "SecretAccessKey": "MYSECRETKEY"

    And the entry looks like this:

  • Ah, gotcha, thanks for clarifying! A more native way for achieving this in CLI2 would be along the lines of:

    credential_process = "{ \"Version\": 1, \"AccessKeyId\": \"$(op read op://yourvault/aws/aws_access_key_id)\", \"SecretAccessKey\": \"$(op read op://yourvault/aws/aws_secret_access_key)\" }" 

    Let us know if this works for you, otherwise we can look into further options to adapt your v1 script.
    Looking forward to hearing from you, and thank you, once again, for giving v2 a try! :D


  • yodakrameryodakramer
    Community Member

    I had to make changes to your version to match what credential_process expects.

    credential_process = sh -c 'echo "{\n \"Version\": 1,\n \"AccessKeyId\": \"$(op read op://MyVault/aws-staging/CREDENTIALS/aws_access_key_id)\",\n \"SecretAccessKey\": \"$(op read op://MyVault/aws-staging/CREDENTIALS/aws_secret_access_key)\"\n}" '

    The AWS CLI expects a multi-line JSON return, so I added \n where needed and needed to be exec'd with -c passed to the shell.

    This works quite well now!

  • Glad you got it working!! Let us know if we can help with anything else.


  • slambslamb
    Community Member

    Here's an updated jq method, to launch op once:

    credential_process = sh -c "op --account=... --vault=... item get --format=json --fields=label=AccessKeyId,label=SecretAccessKey ... | jq 'map({key: .label, value: .value}) | from_entries + {Version: 1}'"
  • andi.t_1Pandi.t_1P

    Team Member

    Thanks for the feedback!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file