Automate CLI on headless client

jpauls
jpauls
Community Member

Hi all, I'm researching ways to use the 1Password CLI to add users to groups/vaults based on events in another system.

I think I can easily get the CLI running on a Linux VM, and write a simple REST api to run CLI commands. However, I'm struggling to find the recommended way to handle authentication with the CLI. Session tokens expire due to inactivity, and I can't have someone log into the server every time we need to get a new token.

I could have the CLI run something often enough to prevent a timeout, but is there a better way to automate the CLI as part of an integration? Do I just need to store my integration users credentials in an env variable on the server?

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • zcutlip
    zcutlip
    Community Member

    Service accounts are probably what you're looking for. They're currently in beta, but the idea is you create a service account with access to specific vaults, then set an environment variable for that account's token. Any op operations on items that account has access to can proceed without further authentication.

    In addition, I've asked for a headless/non-interactive mode that is guaranteed to hard-fail if no valid authentication (e.g., session token or service account) is present. For example, if your unattended script is using a service account, but there's a typo in the token or that account has been revoked. In that case ideally it would fail rather than hang forever, prompting for authentication (either via console or GUI), so the error can be logged and fixed.

    Here's that discussion
    https://1password.community/discussion/comment/666122

  • Hi @jpauls:

    It sounds like your specific use case might be better served by 1Password SCIM Bridge.

    Automate provisioning in 1Password Business using SCIM

    Is that accurate? If not, let me know, and taking a closer look at your specific use case would probably be best.

    Jack

  • jpauls
    jpauls
    Community Member

    @Jack.P_1P Thanks, Jack. I'm looking for something more along the lines of what @zcutlip mentioned.

    I have an external system (Salesforce) that is not an identity provider, but will be used to manage who can access which customer vaults in 1Password. I'll be writing backend code in Salesforce that will reach out to a server with the 1Password CLI installed. There would be an api on this server (probably built with Node/Express) that uses the 1Password CLI to modify things.

    This wouldn't be needed if there was an API to directly interact with our 1Password instance.

  • Hi @jpauls:

    Thanks for following up! It sounds like us taking a closer look at your specific needs would be best. Can you please email us at support+forum@1password.com from the email address on your 1Password account and I'll get you in touch with our Solutions team.

    Jack

This discussion has been closed.