How to keep passwords concealed on 1password CLI.

jeyyoon

We have recently started using 1Password Business to share our company's account information. Instead of sharing plaintext password strings with members, we have granted them only the "view item" permission, which allows them to log into shared accounts.
We have verified that members cannot view the actual password in extension of browsers like Chrome or Safari.
However, we discovered that for developers using the CLI, the '$ op item get ITEMNAME' command can reveal the password.

Is there no way to hide the password in the CLI environment? Or do I need to make additional settings?

I confirmed that in the CLI environment, the '$ op vault group list VAULTNAME' command shows that the group has only the 'view_item' permission and not the 'view_and_copy_passwords' permission.

---

1Password Version: 8.10.4
Extension Version: 2.16.1(CLI)
OS Version: MAC 13.1
Browser:_ Not Provided

1P_Amanda

Hi @jeyyoon,

Thank you for bringing this to our attention, we can definitely see how this is a problem. We have created a ticket for this and will address it, although it's not on our current roadmap so we can't commit to a timeline.

Cheers!
Amanda

tscheuble

+1, we were evaluating using 1password to manage secrets in our deployment pipeline and this is a showstopper. I hope a solution can be found soon.

scor

I am puzzled as well that passwords are not hidden by default on CLI output. I would have expected both op item create and op item get to conceal by default and require a specific argument to show the password, similar to how --reveal is required for the SSH private key.