Change password using "op item edit" without having it on the command line?

EdGueEdGue
Community Member

I need to programmatically update the password for multiple entries in my vault.

This here works nicely:

op item edit some-item "password=noneofyourbusiness"

but it has 2 problems:

  • obviously, the password shows up on the command line, so it is visible to other processes
  • less obvious: this can break when passwords contain sensitive "shell characters", like "&"

The only way I see:

  • do op item get --format=json
  • within the script, manipulate that data and update the password field as needed
  • turn the whole string into base64 (within the script)
  • do something like echo {} | base64 --decode | op item edit some-item where {} would contain that base64 encoded json

I have done similar things in the past, but I hope: there is an easier way to achieve the same?

Comments

  • EdGueEdGue
    Community Member

    Just now realising: op item edit doesn't read from stdin (yet).
    What a shame.

    I guess that means: the 2 problems I mentioned above are very real with the 1Password CLI,
    and I do hope that edit reading from stdin is added soon, as there is NO way to workaround
    this deficiency.

  • andi.t_1Pandi.t_1P

    Team Member

    Hi @EdGue, we do have an internal issue tracking this problem, which we are currently pursuing. Expect op item edit to be able to support stdin soon.

  • EdGueEdGue
    Community Member

    Excellent, and really appreciated. I coded my solution to use the op item edit xxx password= ... and as expected: when the password contains a " character, it just doesn't work to pass that value without running into issues. So a way to read from stdin (at least for the password) ... I would consider that a bugfix, not just a neat feature ;-)

  • andi.t_1Pandi.t_1P

    Team Member

    Thanks for your feedback!

  • cliKingcliKing
    Community Member

    @EdGlue You must use the escape mecanisms of your shell to escape the special characters.

    With bash or zsh (Linux/Mac) use single quotes and escape those single quote with a backslash.

    Example with password abc'def :

    $ op item edit some-item 'abc'\''def'
    
  • andi.t_1Pandi.t_1P

    Team Member

    Thanks for the feedback!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file