Recommended way to use credentials in the code - NodeJS

imftec
imftec
Community Member

Hi!

I have a NodeJS application and I'm trying to figure out the best way to use 1Password Secret Automation. I already have a Connect server in place and also already did some tests successfully.

I understand we can have secret references in a .env file and then start the node process using op run --env-file .my_env_file -- node index.js, for example. This is working just fine for me.

But I have some secrets that cannot be stored in environment variables because they're defined for each user in our platform, and we need to read an item's value at runtime.

I was considering the nodejs lib, but it looks like it is not possible to read secret value using this lib. I was able to list and get items from vaults, but I was unable to read an item's value.

What is the recommended way to read item values at runtime?

Thanks in advance.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • imftec
    imftec
    Community Member

    Hi!

    I'm still struggling to find a way to read secrets at runtime, and I'm about to give up using 1Password for secrets on our platform.

    I saw one example at this link that I can't make it to work:

    Referencing secret values that way in the code is what I'm trying to accomplish.

    I thougth of using API calls to get secret values as specified here in the docs, but for that we'd need to specify UUIDs, and that is not practical for development once vaults will have different UUIDs between development, staging, and production.

    If it were possible to get vault items via rest API using op:// references I'd go that way, but it looks like it is not an option.

    Unfortunately we'll need to look for alternatives other than 1Password. :(

  • Hi @imftec:

    Thanks for reaching out, and I'd like to apologize for not getting back to you sooner. Just so I can make sure we're both on the same page, you're looking to dynamically load secrets into a system once it's running, is that correct?

    You mentioned that the biggest hurdle with using API calls is that you'd have different vaults between development, staging, and production. Would it be possible to use an environment variable to determine which "channel" the system is running in, and use the appropriate vault? That would allow you to use vault UUIDs, allowing for the use of the API call format.

    Let me know.

    Jack

  • imftec
    imftec
    Community Member

    Hi @Jack.P_1P, thank you for your response.

    Yes, we need to dynamically load secrets at run time. There are some secrets that can be loaded as environment variables, but many other secrets must be loaded dynamically, at run time.

    I understand, as per the documentation, that in order to read an item from any vault using REST APIs I should call GET /v1/vaults/{vaultUUID}/items/{itemUUID}. The hurdle here is that the UUID (both for the vault and for the item) will be different for development and production (once the credentials will reside, obviously, in different vaults).

    Is there a reason for the nodejs sdk not include a method to read a secret, but only get item metadata? I mean, why does getItemByTitle don't return item's fields? Are there any security restrictions for that?

  • Hey @imftec,

    Our Connect JS SDK does support getting the item's details when you look for it by title. This is achieved with the function you mentioned: getItemByTitle.
    In order to work, it is expected that the item's title to be unique, otherwise the client will throw an error (saying that there are too many items with the same title).

    Here's a snippet of a sample js file that will print a list of an item's fields (in JS fields are stored in objects named FullItemAllOfFields). You should be able to see all the details of all the fields the item contains. The snipper is using the latest version of the SDK, which is 1.3.0.

    import { OnePasswordConnect } from "@1password/connect";
    
    // Create new connector with HTTP Pooling
    const op = OnePasswordConnect({
        serverURL: process.env.OP_CONNECT_HOST,
        token: process.env.OP_CONNECT_TOKEN,
        keepAlive: true,
    });
    
    const vault = await op.getVaultByTitle("Your Vault Title")
    
    const item = await op.getItemByTitle(vault.id, "Your Example Item");
    
    console.log(item.fields)
    

    To get an item's field's value (based on its label). you can use a line like the following:

    item.fields.find(o => o.label === "your-field-label").value
    

    Does this help in realising your use case? Is there something else you're running into when trying to get your desired secrets with our Connect JS SDK?

    Let us know.

  • imftec
    imftec
    Community Member

    Hello @eddy_1P,

    How is it possible I overlooked that in the docs?

    Yes, that is exactly what I was looking for!

    Thank you very much!

  • Hi @imftec:

    On behalf of Eddy, you're very welcome! Please get in touch if there's anything else we can help you with!

    Jack

This discussion has been closed.