How can I prevent to authenticate constantly to retrieve secrets ?

mickael
mickael
Community Member
in CLI

Hi,

I decided to switch from my tool https://github.com/mickaelperrin/onepassword-local-search to the native implementation of SSH key management and secrets retrieval for my daily use.

This works great globally, however it looks like I can't find a way to prevent to be asked for auth each time I launch a new terminal.

I have some ENV variables that contains secrets and I init them in my ZSH configuration by making a call to op cli.

It looks like the 1password configuration is for SSH keys only.

https://share.cleanshot.com/ng43mG62XnGhllykz4rF

Is there a way to prevent that ?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Dave_1P
    Dave_1P

    Hello @mickael! 👋

    Thank you for the question! Being asked to authenticate in each new terminal session is part of the CLI integration's authorization model:

    Each time you use a 1Password CLI command in a new terminal window or tab, you'll need to authorize your account again:

    • On macOS and Linux, authorization is confined to a terminal session but extends to sub-shell processes in that window.
    • On Windows, commands executed in a sub-shell require separate authorization.

    You can read more here: 1Password app integration security Developer

    Can you tell me a little more about the use case here? Are you regularly opening new terminal windows when using the CLI? Do you already have biometric unlock enabled to make it easier to unlock 1Password rather than typing in your account password each time?

    -Dave

  • mickael
    mickael
    Community Member

    Hey @Dave_1P

    Thanks for taking time to answer.

    Yes, I have biometric support enabled.

    My use case is simple, I replaced some secrets in env variables in my dotfiles with calls to op cli. For example, the SendGrid Auth API key can be stored in an ENV variable: https://docs.sendgrid.com/ui/account-and-settings/api-keys

    But I guess, regardings 1password auth restrictions, I have to change the way to access that info. Hopefully, this is a script I manage personally, so I will embed the call to op directly in it.

    But my question was more general, on the adequate way to replace ENV vars that store secrets with refereces to 1password entries.

  • Dayton_ag
    Dayton_ag

    Hey @mickael, I wonder if 1Password Shell plugins would be a good fit? This allows you to reference credentials in 1Password when using command line tools - while we don't have a shell plugin for SendGrid yet, it's possible to build your own: Build your own shell plugins (beta) Developer

    Outside of shell plugins, you can also load secrets into your environment using op run - this article discusses it a little further: Load secrets into the environment Developer

    Let me know what you think! 😀

  • mickael
    mickael
    Community Member

    Thanks @Dayton_ag. Indeed, using op run in an alias, should be the easiest way to manage that issue. Thanks for pointing toward that direction.

  • Dayton_ag
    Dayton_ag

    Happy to help! 😄

This discussion has been closed.