One password cli signin within python script run time

alankar
alankar
Community Member
edited September 2022 in CLI

Hi ,
I am developing a python script to automate password updates in OP vault using OP CLI. I am facing issues while signin. i am running below code to signin without prompting password. I tried to do it by 2 ways which is mentioned below.

Approach 1:
proc = subprocess.Popen('op signin -f --account [account-name] --format json', stdin=subprocess.PIPE)
proc.communicate(input=[password])

Approach 2:
command = 'eval $(echo "[password]" | op signin --account [account-name] --format json)'
subprocess.run(command)

Can anyone give me suggestion to signin in OP vault automatically.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:One password cli signin within python script run time

Comments

  • Hi @alankar, unfortunately a fully programmatic way is non-existent with the regular CLI. The password would need to be introduced manually every 30 minutes in order for the session to remain valid. Having that said, both Connect and Service Accounts (still in beta) features of 1Password will only require some personalised tokens to be present as environment variables, for authentication with the CLI. So a fully programmatic solution can be designed with Connect or Service Accounts.

    For example - for Service Accounts if you simply set the env variable OP_SERVICE_ACCOUNT_TOKEN=<your-service-account-credential>, you would be authenticated for the rest of the commands. For Connect, you need to do something similar for OP_CONNECT_HOST and OP_CONNECT_TOKEN.

    Pit falls: For Connect you would need to deploy a server, but you could that fully programatic as well. For Service Accounts, as I said before, this is still a beta feature, so you could only get access to it based on an invite. Read this thread https://1password.community/discussion/131233/join-our-beta-test-for-1password-service-accounts-launching-mid-july#latest for more information as to how you could get started with that.

    Hope this helps! Best,
    Andi

  • cliKing
    cliKing
    Community Member
    edited September 2022

    Signing in from your script seems to be a bad design security wise.

    It would be better to leave authentication out of the script and let the user call your script once (s)he has logged in with eval $(op signin).

  • Thanks for your feedback!

This discussion has been closed.