1Password CLI in azure function for AAD user and group sync

not

Hello!

The goal was to avoid setting up a scin bridge because of the associated costs of kubernetes. (I found it difficult to get a good idea of how much this was likely to cost in azure. My boss cringed at the idea of $50 a month.) So first question is for the folks that are using this - what are you seeing in terms of costs for this?

Instead, I have been trying to get the CLI working in an azure function with powershell with the intention of syncing users and groups based on certain changes to those things in AAD.
I have gotten the impression this is not a good idea! But would love to understand better why not, or what workarounds I should avoid at all costs, or if anyone else has done anything like this.

I've gotten as far as adding an account in the cli, but obviously run into issues when trying to signin since I can't feed a PW to that command automatically.

Maybe there's a simpler CLI-like tool y'all've got cooking that would work in azure functions?

Open to all criticisms or suggestions.
Thanks!

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

ArunV1P

Hi @not, thanks for reaching out!

I am not familiar with Azure functions, but based on your description, the main blocker seems to be that you cannot use 1Password CLI in a certain environment because of password input? Service Accounts can help in such environments -- does that fit your use case?

not

Hi @ArunV1P Thanks for the response!

It's in the title, but I should have mentioned in the body of my post - I'm trying to do a user/group sync and from what I see in the docs, service accounts don't have access to the relevant CLI commands. Is that no longer true?

Thanks!

1P_Amanda

Hi @not,

You're right, service accounts can't be used for provisioning. The scim bridge is really ideal for provisioning, our scim-examples repo has a beta deployment option using azure container apps that ends up costing about $16/month, here is the link: https://github.com/1Password/scim-examples/tree/master/beta/azure-container-apps

Alternatively, there are some AKS cost optimizations documented here if you are provisioning less than 500 users: https://gist.github.com/scottisloud/248e705729fd31809ce9f3e075e0e5ce

We haven't really seen anyone else use azure functions, so we unfortunately don't have much information as to what that would look like in practise. If you do decide to try out the scim bridge route and run into any issues, please reach out to our support team, we have some people who are very knowledgeable that will be able to help.

I'm sorry I don't have a simpler answer!
Amanda

not

@1P_Amanda Thanks for the insight! Will definitely look deeper into the recommended option.

but just as a curiosity, the azure function would work the same as any automated script.
If a 1PW user wanted to set up an automated user/group sync with the CLI from a server, they'd have to figure out a way to automate the PW input too. I'm assuming this is just unrecommended entirely.

1P_Amanda

Automating the PW input is not recommended, so until we add support for group/user management to service accounts I don't really have a good alternative to the SCIM bridge.

Thank you for your question!