Unexpected op run behavior

jwhett
jwhett
Community Member
in CLI

Hello,

I'm excited to use the new features in CLI v2, but I'm having trouble getting op run to behave as expected.

In following the secret references doc, I expected to create an env file with secret references that would be translated into environment variables. Wrapping commands in an aliases which translates all secret references in the environment is compelling. The same can be said for other workflows. I've tried to boil this down to simple tests.

The following output is with zsh, but I've had the same issue with fish and bash. Consider a single token variable defined in op-env that holds a reference to a GitHub API token:

# Empty
$ op run --env-file=op-env -- echo $token

# Works brilliantly with printenv
$ op run --env-file=op-env -- printenv token
<concealed by 1Password>

$ op run --env-file=op-env -- curl \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer $token" \
  https://api.github.com/user

{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

$ token=op://Private/GitHub_testing_token/credential op run -- curl \ 
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer $token" \
  https://api.github.com/user

{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

$ curl \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer $(op read op://Private/GitHub_testing_token/credential)" \
  https://api.github.com/user

# Expected response

I've attempted the same when sending environment variables to Ansible, with -e "token=$token" where $token holds the secret reference in the environment, with the same failures (i.e. either empty or is the untranslated secret reference). Can you please help me understand what is going on? Perhaps guidance on where the lines are drawn between using op run and op read to provide secret reference translation would also help.

Thank you!

1Password Version: 2.7.1
Extension Version: Not Provided
OS Version: Pop!OS 22.04 LTS
Browser: Not Provided

Comments

  • jwhett
    jwhett
    Community Member
    edited September 2022

    I've found that if I wrap the same curl command in a script, then the translation works as expected. Ansible environment variables have to be looked up instead of provided at runtime with -e unless wrapped in the same way. Attempting this without the wrapper shows that the Authorization header is empty instead of either the token or a secret reference string itself.

    There appears to be a nuance between referencing the variables at the command line vs those that are referenced deeper within. However, from the op run docs:

    Runs the given command in a subprocess. Environment variables of the parent process are passed down to the subprocess, with all secret references replaced with their corresponding secret value.

    My expectation is that a ref at command invocation should be the same as any other ref to the same variable. Is this expected behavior?

    Thank you!

  • andi.t_1P
    andi.t_1P

    Hi @jwhett, I believe using your commands in this way

    op run --env-file=op-env -- sh -c 'echo $token' 

op run --env-file=op-env -- sh -c 'curl \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer $token" \
  https://api.github.com/user'

    will achieve the desired behaviour. I believe the reason behind it is that in your examples echo and curl attempt to resolve $token before they are being run as a subprocess of op run.

    All the best,
    Andi

This discussion has been closed.