op run doesn't seem to be overriding shell value with env value (per docs)

timdiggins
timdiggins
Community Member
in CLI

Hi

am newly using CLI and seems good, but I've discovered a problem.

Given I set something in the shell, either as an absolute value

export SOME_NAME=some-value

or as a 1p reference

export SOME_NAME="op://my_vault/my_item/my_section/my_field"

And I also set that in an env file

# some-file.env
SOME_NAME="op://my_vault/my_item/other_section/other_field"

When I run op run --env-file some-file.env --no-masking -- printenv SOME_NAME

Then I expect the output to be the contents of the env file version, ie. whatever is in "op://my_vault/my_item/other_section/other_field"

But I get the original value in the shell, ie. either some-value or whatever is in "op://my_vault/my_item/my_section/my_field".

This looks like it's a bug, but could it be somehow my misconfiguration?

For reference:

op help run

contains:

DUPLICATE ENVIRONMENT VARIABLES
If the same environment variable name exists in both the shell and the '.env' file,
but are referencing different secrets, the variable set in the '.env' file will be used.

and it gives an example of how this should work.

1Password Version: 8.10.8
Extension Version: (4.7.5.90)
OS Version: macOS 13.4.1
Browser: (Chrome)

Comments

  • ArunV1P
    ArunV1P

    Hi @timdiggins, thanks for reporting this issue! We recently noticed the same internally and we are currently investigating.

    One of us will followup here once we know more.

    Thank you,
    Arun

  • ArunV1P
    ArunV1P

    Hi again @timdiggins, while we are looking more into this, we'd like to hear from you on your setup. Could you tell us more about it --

    • What is your current use-case like?
    • Is using envvar in the shell session instead of as a dotenv file an option at all? (That is, you can skip the --env-file flag)
    • Do you have some kind of shared setup between yourself and your team members that requires the usage of a dotenv file?

    Please feel free to expand beyond the questions above, thank you.

  • maxbeatty
    maxbeatty
    Community Member

    We also just ran into this trying to override NODE_EXTRA_CA_CERTS in a Node.js program. A simpler reproduction:

    A .env.development file like:

    ENVIRONMENT="development"

    Then run:

    ENVIRONMENT=test op run --env-file='./.env.development' -- node --eval 'console.log(process.env.ENVIRONMENT)'

    Observe "test" is outputted instead of "development".

    Node.js v18.16.0
    op 2.19.0
    macOS 13.5

  • dcorey
    dcorey
    Community Member

    Upvote on this. Also ran into this bug today. My team uses a shared secret file that is source controlled to inject secrets into a development cluster and we are running into problems with some teammates having conflicting secrets in their shells. We expect that the env file being explicitly passed to the op command would take priority over the shell variables, as the documentation states it should.

    1Password for Mac: 8.10.13
    1Password CLI: 2.20.0
    MacOS: 13.5.1

This discussion has been closed.