Change password using "op item edit" without having it on the command line?

EdGue
EdGue
Community Member

I need to programmatically update the password for multiple entries in my vault.

This here works nicely:

op item edit some-item "password=noneofyourbusiness"

but it has 2 problems:

  • obviously, the password shows up on the command line, so it is visible to other processes
  • less obvious: this can break when passwords contain sensitive "shell characters", like "&"

The only way I see:

  • do op item get --format=json
  • within the script, manipulate that data and update the password field as needed
  • turn the whole string into base64 (within the script)
  • do something like echo {} | base64 --decode | op item edit some-item where {} would contain that base64 encoded json

I have done similar things in the past, but I hope: there is an easier way to achieve the same?

Comments

  • EdGue
    EdGue
    Community Member

    Just now realising: op item edit doesn't read from stdin (yet).
    What a shame.

    I guess that means: the 2 problems I mentioned above are very real with the 1Password CLI,
    and I do hope that edit reading from stdin is added soon, as there is NO way to workaround
    this deficiency.

  • Hi @EdGue, we do have an internal issue tracking this problem, which we are currently pursuing. Expect op item edit to be able to support stdin soon.

  • EdGue
    EdGue
    Community Member

    Excellent, and really appreciated. I coded my solution to use the op item edit xxx password= ... and as expected: when the password contains a " character, it just doesn't work to pass that value without running into issues. So a way to read from stdin (at least for the password) ... I would consider that a bugfix, not just a neat feature ;-)

  • Thanks for your feedback!

  • cliKing
    cliKing
    Community Member

    @EdGlue You must use the escape mecanisms of your shell to escape the special characters.

    With bash or zsh (Linux/Mac) use single quotes and escape those single quote with a backslash.

    Example with password abc'def :

    $ op item edit some-item 'abc'\''def'
    
  • Thanks for the feedback!

  • tjthread
    tjthread
    Community Member

    Expect op item edit to be able to support stdin soon.

    @andi.t_1P Has there been any progress on this?

  • Hi @tjthread:

    Nothing to share just yet, but I've added your interest to the internal issue we have for this.

    Jack

    ref: dev/b5/op#1849

  • terinjokes
    terinjokes
    Community Member

    @Jack.P_1P Any update on this? op item create supports creating secrets from stdin, but there's still no ability to edit existing ones (other than to delete and recreate).

  • Hey everyone, thank you for bumping this, and sorry for the late response!

    No updates to share at this point. This is definitely on our radar, but not on our short road-map, so I can't offer any estimates about timelines at this point. Some development work that will allow us to later add this easier is currently already taking place, so we'll make sure to share any updates when we have any.

    Thank you for your patience!

    Best,
    Horia

This discussion has been closed.