op run command reads non-existent item data

keiyamazaki
keiyamazaki
Community Member
in CLI

I usually use 1Password with the op command, but I encountered a strange behavior where the op run command reads data for a non-existent item.

The steps to reproduce are as follows:
1. Create an item. At this time, set the item name in Japanese (I'm a Japanese user).
2. Move that item to another vault.
3. Use the op run command to access the item with the “pre-move” item ID.

When executing step 3, despite accessing the item with the pre-move Item ID, I am still able to retrieve the item’s information.

Below is the log from when I executed the op command.

% op item list --vault Old-Vault
ID                            TITLE                 VAULT                EDITED
ozym56n74fgvpo2z6uuyalfqvq    テストアイテム        Old-Vault            30 seconds ago

% op --cache=false read "op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password"
test-password-sfJddGyZZvDm!CJNJ7

% cat my2.env
TEST_ITEM_PASS_BY_ID="op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password"

% op --cache=false run --no-masking --env-file my2.env -- printenv TEST_ITEM_PASS_BY_ID
test-password-sfJddGyZZvDm!CJNJ7

# Move Item
% op item move ozym56n74fgvpo2z6uuyalfqvq --current-vault Old-Vault --destination-vault New-Vault
ID:          4ssn5vvleky4hcvyryjumvmo7u
Title:       テストアイテム
Vault:       New-Vault (y2haqnrzxfymqvglaimhfu5wwq)
Created:     now
Updated:     now by HZJFMULD5VFFVNZQ7TTGHOCMEQ
Favorite:    false
Version:     1
Category:    LOGIN
Fields:
  username:    test-user
  password:    [use 'op item get 4ssn5vvleky4hcvyryjumvmo7u --reveal' to reveal]

% op item list --vault Old-Vault

# Item ID has been changed
% op item list --vault New-Vault
ID                            TITLE                 VAULT                EDITED
4ssn5vvleky4hcvyryjumvmo7u    テストアイテム        New-Vault            27 seconds ago

# op read command can't read item data by old item id
% op --cache=false read "op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password"
[ERROR] 2024/10/16 15:36:37 could not read secret 'op://Old-Vault/ozym56n74fgvpo2z6uuyalfqvq/password': could not get item Old-Vault/ozym56n74fgvpo2z6uuyalfqvq: "ozym56n74fgvpo2z6uuyalfqvq" isn't an item in the "Old-Vault" vault.

# But op run command reads item data by old item id
% op --cache=false run --no-masking --env-file my2.env -- printenv TEST_ITEM_PASS_BY_ID
test-password-sfJddGyZZvDm!CJNJ7

Comments

  • keiyamazaki
    keiyamazaki
    Community Member

    Today, I discovered that cli 2.30.1 is available in the apt repository (it seems the binary hasn't been uploaded to the site used for manual installation yet).

    I tried using cli 2.30.1 to see if the same issue would occur, and the problem was resolved.
    Since my last post, I recreated the item, so the ID is different.

    % op --version
2.30.0
% op --cache=false run --no-masking --env-file my2.env -- printenv TEST_ITEM_PASS_BY_ID
test-password-ePLmmekLyDaRopaX6_


% /usr/bin/op --version
2.30.1
% /usr/bin/op --cache=false run --no-masking --env-file my2.env -- printenv TEST_ITEM_PASS_BY_ID
[ERROR] 2024/11/05 06:44:11 could not find item w2jtynpfqzpgluhlglb57pq4wu in vault Old-Vault, because it has been deleted or archived. Please restore the item if you want to use it with secret provisioning