Using 1Password for automated distribution of API keys

jutley
jutley
Community Member
edited April 2023 in Secrets Automation

Since the beginning of this year, our company has been migrating from LastPass to 1Password. The transition has been good so far. However, another recent project has been to do automated rotation of our user's AWS Access Keys. Most of our AWS access is handled thru temporary credentials in IAM Identity Center, but we have a couple of situations where we need static access keys:

  • Allowing our in-house code that has not yet been migrated access to AWS Resources
  • Non-technical users using third party tools like Cloudberry that do not support temporary credentials to upload/download large files to S3.

We wanted to use 1Password as a means of securely distributing new access keys in an automated fashion. We've actually got a working implementation using AWS Lambda, Connect Server, and shared vaults. However, the number of individual users with keys makes me worry that the use of the Connect Server is going to get expensive due to the number of vaults it will have to have access to - each individual user with an access key would have to have a shared vault for Lambda to upload the key to.

I've been trying to look into other ways of using 1Password for this purpose, but have not seen anything as of yet:

  • Connect Server can not access a user's private vault, nor can it create a PSST shared item.
  • OP CLI could work, but it appears that it's nearly impossible to use it in an unattended manner like this.
  • The new Service Accounts feature could possibly be a solution, but as near as I can see, it does not support the "op item share" command.

Is there something I'm missing that could make this easier to accomplish? Or should I look at another method of securely transferring these credentials?

Thanks for any help anyone can give!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • OliverGaida
    OliverGaida
    Community Member

    You could use my ruby gem https://github.com/ogaida/opr21

  • Good news - service accounts do support the op item share command. However, they cannot access a private vault, so you may run into the same issues as Connect. It may still be worth revisiting to see if it works for your use case.

This discussion has been closed.