Possible to pass CLI on vm through to host?

CHasenpflug1
CHasenpflug1
Community Member

Wondering if it's possible, been attempted, or known to not be possible at all, to somehow connect the CLI running in a vm or container to the host system. Specific use cases I'm thinking of are Linux nodes running on Windows via WSL1/2, and Docker dev containers running on any flavor of hosts. My thinking is that I'd like to not have to fully authorize these ephemeral systems, but instead install the CLI and have it benefit from the installation on my host OS, potentially including biometric security.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hey @CHasenpflug1 ,

    I have personally tested op running on Linux-based containers. We have repos on APK, Apt, and Yum that can be used to install op on them as well. If you are interested, please take a look at our installation guide, if you haven't done so already.

    https://developer.1password.com/docs/cli/get-started#install

  • CHasenpflug1
    CHasenpflug1
    Community Member

    Installing op into the container is not a problem. However, it seems as though I have to authenticate the container to my account. op vault ls asks me to manually add my account. Rather, I would like to be able to pass the CLI running in the container to the instance running on the host. Have I missed something in the installation steps that makes this possible?

  • Hey again @CHasenpflug1 ,

    Apologies, I missed a critical part of your question.

    There is no such way to do so at the moment, but we are working on service account access tokens for use in non-automated environments that may fit your use case.

    Alternatively, you could look into setting up a Connect server and accessing it via op using tokens.

    As a last resort, there is a way to authenticate to op that can be "scripted" in a non-interactive way, but I do not suggest it as it is a security risk.

    The op account add and op signin commands can accept the password piped via stdin. For exampe: eval $(echo "$PASSWORD" | op account add --email "$EMAIL" --address "$SIGNIN_ADDRESS" --secret-key "$SECRET_KEY"

    While this method can work, it can expose the password to any processes that are monitoring other processes being initialized.

  • CHasenpflug1
    CHasenpflug1
    Community Member

    Thanks, Justin. I figured Connect may be the route I have to go. My hope was to be able to mount a socket on the child instance, similar to how Docker in Docker would work, such that the vm/container has a client interacting with the host over that socket. Passing ssh agent to a dev container is another example where we're able to interact between container/host processes. Similar process communications for op would open possibilities.

  • Thank you for your feedback, @CHasenpflug1!
    I'll make sure that it all gets filed with an internal issue, for further investigation.
    We'll update this thread whenever we have updates on these fronts (including service accounts, which may be an amelioration, for your use-case).
    Looking forward to hearing any other feedback that you may have!

    Best,
    Horia

  • Hi @CHasenpflug1 ,

    I'm Sadia, a Product Manager at 1Password, and have some news that may be interesting to you. I am looking for some developers and administrators that would be interested in chatting with me about a new feature our team has been working on: Service Accounts. Earlier this year, we introduced the CLI 2.0, where users can use “run” and “inject” commands to substitute secret references for secrets stored in 1Password vaults. With our new Service Account capabilities, organizations can use a separate non-user account to control and manage access to secrets without deploying additional services like Connect.

    We are currently building out service accounts and want to understand your pain-points and experiences with secrets management, and gather some feedback, so we could deliver the best product for our customers.

    If you are interested, please feel free to reach out to me at sadia.azmal@agilebits.com or sign-up for a 30 minute slot on Calendly. I look forward to hearing from you :)

  • loryans
    loryans
    Community Member

    I'm keen to chat @Sadia.Azmal_1P , but unfortunately all your slots are between 3am - 6:30am.
    My timezone is GMT+10 as I'm in Australia - do you have anything that could work for that?

  • Hi @loryans,

    Thank you for reaching out! What times are you available to chat, I can try and accommodate to that.
    Also, feel free to reach out to me on my email sadia.azmal@1password.com.

This discussion has been closed.