Can't use "op inject" in a script run with "op run" using 1Password Connect?

XIII
XIII
Community Member
edited April 2022 in CLI

Situation:

  • Script script1 contains op run --env-file=... -- script2
  • Script script2 contains op inject -i ... -o ...

Observed behaviour:

➜ script1
No accounts configured for use with 1Password CLI.

You can either:
 - Sign in with biometric unlock; see https://developer.1password.com/docs/cli/get-started/#sign-in for details.
 - Add an account manually with `op account add`; see `op account add --help` for details.

Do you want to add an account manually now? [Y/n]

Expected/Desired behaviour:
op inject uses 1Password Connect server defined by $OP_CONNECT_HOST.

If I echo $OP_CONNECT_HOST in the scripts, they both report the correct value, but still I get the above error when (if and only if) op inject is executed...

What am I doing wrong?

Or is running op inject within op run not supported?


1Password Version: 1Password CLI 2.0.0
Extension Version: n/a
OS Version: Asuswrt-Merlin 386.5_2

Comments

  • Hey @XIII,

    Thank you for reaching out to us.
    The issue here is that, when passing the environment to the spawned subprocess, op run filters all the CLI-related credentials (OP_SESSION, OP_CONNECT_... etc.). However, we recently realised that this offers no real security benefit, so the next release of the CLI should get rid of this behaviour. Stay tuned for that!

    Best,
    Horia

  • XIII
    XIII
    Community Member

    That's good news!

    To set my expectations: when can I roughly expect a new CLI release? (Days/weeks/months?)

  • We would like to do it sooner, rather than later. We're currently in the process of setting up multiple parallel release channels (there are features that we'd still like user validation on, that will likely be initially released in a beta). Once that is done, the very first release should contain this fix. It will not be months, definitely, I think we're talking about days or a few weeks, at most. Other than that, I cannot offer an estimate.

  • XIII
    XIII
    Community Member
  • XIII
    XIII
    Community Member

    However, it seems to work anyway in 2.0.1?

    Can you confirm this?

  • Horia.Culea_1P
    edited April 2022

    Hey @XIII, indeed, it made it in the release. This change corresponds to a changelog entry under Security:

    """
    Filtering of op specific environment variables has been removed from op run, as no security advantages are obtained by this filtering. Credits to Secfault Security. {2184}
    """

    Let us know if you have any further questions!

    Best,
    Horia

  • XIII
    XIII
    Community Member

    Thanks for confirming!

  • No worries! Let us know if you need our help with anything else here.

    Best,
    Horia

This discussion has been closed.