Service Account Access

Options
Pleonasm
Pleonasm
Community Member
edited April 2023 in CLI

What is the purpose of the "Service Account Access" toggle setting, visible when viewing "Vault Details" on 1Password.com? Why is it enabled by default, and what functionality is lost if it is disabled?

Thank you for your assistance.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • GreyM1P
    GreyM1P
    Options

    Hi there @Pleonasm

    Short version: You almost certainly don't need to do anything, and toggling that switch will have no effect.

    Service Accounts can be thought of as non-human users on your 1Password account which can be used to perform tasks on your behalf through the command line. They're designed mostly for business users, although any type of 1Password account can use them.

    You can find out more about the beta of Service Accounts here: 1Password Service Accounts beta Developer.

    If the idea of a Service Account is new to you, you very likely don't have any Service Accounts set up on your 1Password account, so toggling that switch off wouldn't make any difference and you wouldn't lose any functionality.

    The toggle is there to allow, or prevent, any Service Accounts on your 1Password account from being able to perform actions in that vault. You'll never see it on your Personal or Private vault, since only you have access to them.

    To be able to access that toggle, you need to be a user with the ability to manage vaults – an Admin or Owner on a Business or Teams account, or a Family Organizer in 1Password Families – so unprivileged users won't see it or be able to change it.

    I'll be happy to answer any questions if you have them. :)

    – Grey

  • GreyM1P
    GreyM1P
    Options

    @Pleonasm

    If you don't have a Service Account set up already, and all of your family members or team members are human (so to speak), then that switch won't make a difference.

    The 1Password command-line interface (CLI) still needs all the usual sign-in details – email address, Secret Key, and account password – so is just as secure as signing in to 1Password.com or using the 1Password apps. The only distinction here is that Service Accounts can only work through the command-line interface, since they're essentially a kind of bot that you control to use on your own 1Password account.

    Service Accounts also don't have the usual sign-in details of email address, Secret Key, and account password, but rely on a randomised token instead.

    Long story short – that switch will only make any difference to functionality or privacy if, and only if, you're already using one or more Service Accounts. In all other cases, it will have no effect.

  • pdxuser
    pdxuser
    Community Member
    Options

    @GreyM1P While I fully understand the use-case for service accounts and I'm in support of using them in these scenarios, I do think 1PW should rethink the default setting of this switch. While I understand that CLI setup is requires, enabling an API be default to be on is bad practice. Setting the switch by default to "off" would be the prefeed option I think. It prevents inadvertently setting up CLI credentials without knowing what one is doing, and having a switch defaulted to "off" gives an added level of comfort. Experts who are setting up CLI will know that the switch needs to be toggled to "on". Thanks for giving this suggestion some consideration.

  • GreyM1P
    GreyM1P
    Options

    @pdxuser

    enabling an API be default to be on is bad practice

    Service Accounts don't make use of an API – they interact with items and vaults using the same methods as a human user would using the app, just through the command line, rather than graphically. The switch shown to allow Service Accounts access to a vault is functionally similar to the "Safe For Travel" switch.

    Turning off "Safe For Travel" essentially tells 1Password not to show that vault to anyone on any of the 1Password apps.
    Turning off "Service Account Access" tells 1Password not to show that vault to Service Accounts anywhere.

    The switch is more about your privacy from Service Accounts, rather than anything to do with security. You would have to deliberately sign in to 1Password.com, go to the Integrations Directory, then click "Create a Service Account" and follow the steps from there to create a Service Account.

    Even then, that Service Account isn't going to do anything until commanded to do so. To make it do something, you would have to then set up an automation for it from the 1Password command-line interface.

    It prevents inadvertently setting up CLI credentials

    There are no separate credentials required for the CLI. If you, as a regular user, want to use the CLI, you would use your normal sign-in details of email address, Secret Key, and account password.

    Experts who are setting up CLI will know that the switch needs to be toggled to "on".

    Users who are using the CLI don't have to set up Service Accounts to do so – they can use the CLI using their own sign-in details. As such, the Service Account Access toggle will do nothing.

    In summary then, for the Service Account Access switch to have any effect, there must be at least one active Service Account set up on your 1Password account, and that Service Account needs to have an automation assigned to it. Unless both of those things are true, then that switch's position won't matter at all.

  • GreyM1P
    GreyM1P
    Options

    @Pleonasm

    Is it not prudent for users to verify that [the 1Password CLI] is disabled?

    Not particularly, no. The 1Password CLI needs to be installed separately – it isn't bundled with the 1Password app. More info on that here: Get started with 1Password CLI Developer # Install.

    As such, if you haven't deliberately installed the 1Password CLI alongside the main 1Password app, then turning on that "Connect with 1Password CLI" switch isn't going to do anything, considering there's nothing it can "talk to".

    Using a hypothetical situation as an example: If you didn't install the 1Password browser extensions, then it would be the same situation with the "Connect with 1Password in the browser" switch on the Browser tab of 1Password's Settings – nothing changes, because the other end of that link isn't there.

    Both "ends" of each of these links (to 1Password in the browser, the 1Password CLI, or Service Accounts) need to be present and active for any of these switches to have any effect.

    I hope that clarifies things, but I'll be able to answer any questions.

This discussion has been closed.