Reuse a session token from environment, not from command line

kdomanski
kdomanski
Community Member

The op signin command has an immensely useful functionality:

You can use the `--session` option with the `signin` command to reuse an
active token or to test whether a session has expired. This may be
useful when writing scripts that use the command-line tool. If the
session is active, the tool will use it and return the same token. If
the session is expired, you’ll have to sign in again. 

However, as Michael pointed out in https://1password.community/discussion/123986/command-line-tool-v1-12-2-op-create-item-template-file-json it is insecure to provide secrets on the command-line. For example, in shared and cloud environments there's a risk of other users seeing the session token through ps or the token making its way to audit logs.

With that in mind, it would be fantastic if the token reuse functionality was usable with the session token in an environmental variable. I see two possible approaches:
1. Change the default behavior of op signin (without --session parameter) to reuse the existing session token by default. Add a new parameter e.g. --new-session to force a new sign-in.
2. Leave the current default behavior as it is, add a --reuse parameter to tell the CLI to try reusing the token from env.

Best regards,
Kamil Domański


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • zcutlip
    zcutlip
    Community Member

    If I understand your question correctly, op already does this. E.g., in a bash, zsh, or similar environment, do:

    $ eval $(op signin)
    

    Then your session token is exported as an environment variable and is reused automatically (until it expires).

    I'm suspect there are similar invocations for Windows and other shells.

    Cheers,
    Zach

  • @zcutlip is right.

    All op signin does is print this:

    export OP_SESSION_<account shorthand>=<session token>
    

    When evaluated, it stores that environment variable for you for next invocations of 1Password CLI commands.

    You can find the shorthand of your account using op signin --list.

    PS: You're also right about there being a Windows equivalent, it's Invoke-Expression $(op signin)

This discussion has been closed.