Is it possible to Authentication CLI with Token?
I'm still new to the 1Password Secret automation and the CLI. So i'm trying to lay out my idea here.
I want to have my nginx/php process wrapped with the op run --
command, as I want my secrets to only be available on run time for the respective applications.
But for me to use the CLI I need to log in, when I do that with eval $(op signin)
I'm asked to add signin-address, email, secret and password.
This makes it all a little harder to automate things. I would prefer not to haven written secrets to files on disk, therefore I'm hoping to use to op run --
wrapper, and therefore my servers need to be able to authenticate easily without human interaction.
Do any of you have some suggestions on how to handle this? and if it's even possible.
I would like to have an as secure as possible setup for having e.g. DB credentials used in my PHP application.
I know there are some non-official PHP SDKs out there, but I would prefer not rewriting to much of my applications if possible.
I'm on op --version
2.7.2
Thanks in advance.
Tomas
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Ubuntu 22.04
Browser:_ Not Provided
Referrer: forum-search:token
Comments
-
Hi @tomasnorre , unfortunately the classic CLI use-case requires human interaction for authentication for enhanced security reasons. The authentication is done via a temporary token (which looks something like this OP_SESSION_PNDZZZZZZZZZZZZZZZZZ="Av_Aya5nYgjFycHWduOjTktUsqxrwfghtugj9DQLUS7w4"), which you get by providing a valid password/biometrics. Better suited for your use case would be either our Connect Server feature or Service Accounts beta feature. Both of these allow you to authenticate only via some tokens passed through environment variables.
Hope this helps,
Andi0 -
Thanks Andi.
The Open Connect server I already have in place, but then I would need to re-write part of my Application to use the/a PHP-SDK instead. Or am I misunderstanding something?
0 -
My bad for not being clear enough. Here is a link to the 1Password Connect feature: https://developer.1password.com/docs/connect/connect-api-reference/, which will allow you to execute
op run
without worrying about repetitive and interactive authentication.0