secrets in a devcontainer setup
nyoungb2
I would like to use 1password in a devcontainer setup (remote machine; connected via ssh) to initialize some secrets for my developer environment. I currently have:
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \ sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list sudo mkdir -p /etc/debsig/policies/AC2D62742012EA22/ curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol | \ sudo tee /etc/debsig/policies/AC2D62742012EA22/1password.pol sudo mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 curl -sS https://downloads.1password.com/linux/keys/1password.asc | \ sudo gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg sudo apt update && sudo apt install 1password-cli eval $(op signin)
...in my setup.sh that is run as part of my devcontainer setup.
However, I then have to manually sign in during the setup, which requires 4 items of information to type in, including a long secret key. After the setup is complete, I then have to sign in again via eval $(op signin) if I want to use op within my devcontainer.
Is there a better way? If yes, it would be great to have specific documentation on best-practices for using 1password with devcontainers (and remote ssh).
1Password Version: 2.13.1
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:vs code
Comments
Team Member
Hi @nyoungb2:
Great question! If you're looking to use secrets in a non-interactive flow, like remote machines, 1Password Secrets Automation might be your best bet. This would allow you to use bearer tokens to access secrets, and ensure that they're only scoped to vaults that contain the specific secrets you're looking to use on that machine. Let me know if that helps, or if you'd like to dig in a bit further.
Jack
So there's no way to provide my sign-in address and email
op signin? I always have to manually typo both when runningeval $(op signin)?I also have to get a "New 1Password sign-in from XXX" notification email every time? This gets really tedious when re-building devcontainers.
@Jack.P_1P are there any plans on creating a 1password devcontainer feature that specifically helped automate devcontainer setup with 1password (e.g., automatically injecting 1password secrets into the
postCreateCommandscript for the devcontainer setup, with secrets used from the developer's local 1password app)?More generally, I would think that the following would work with the 1password extension:
"containerEnv": { "AWS_ACCESS_KEY_ID": op://Private/AWS/username, "AWS_SECRET_ACCESS_KEY": op://Private/AWS/credential, "AWS_DEFAULT_REGION": op://Private/AWS/region },but adding that to my devcontainer.json does nothing. If I run
1password: Preview with secrets, then my AWS secrets are correctly substituted in the preview, but those secrets are not substituted when I re-build my container. I also cannot hover over theop://links and see references to the secrets, as shown in https://www.reddit.com/r/1Password/comments/vp19zy/introducing_1password_for_vs_code/.In regards to the "cannot hover over the op:// links" issue, I did some testing, and the hover only works for log projects, and not remote ssh connections. Maybe that is also the issue with my "containerEnv" issue. If this is the case that the 1password extension does really work for remote ssh connections, then this should be clear in the docs.