How can I prevent to authenticate constantly to retrieve secrets ?

Options
mickael
mickael
Community Member
in CLI

Hi,

I decided to switch from my tool https://github.com/mickaelperrin/onepassword-local-search to the native implementation of SSH key management and secrets retrieval for my daily use.

This works great globally, however it looks like I can't find a way to prevent to be asked for auth each time I launch a new terminal.

I have some ENV variables that contains secrets and I init them in my ZSH configuration by making a call to op cli.

It looks like the 1password configuration is for SSH keys only.

https://share.cleanshot.com/ng43mG62XnGhllykz4rF

Is there a way to prevent that ?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Dave_1P
    Dave_1P
    Options

    Hello @mickael! 👋

    Thank you for the question! Being asked to authenticate in each new terminal session is part of the CLI integration's authorization model:

    Each time you use a 1Password CLI command in a new terminal window or tab, you'll need to authorize your account again:

    • On macOS and Linux, authorization is confined to a terminal session but extends to sub-shell processes in that window.
    • On Windows, commands executed in a sub-shell require separate authorization.

    You can read more here: 1Password app integration security Developer

    Can you tell me a little more about the use case here? Are you regularly opening new terminal windows when using the CLI? Do you already have biometric unlock enabled to make it easier to unlock 1Password rather than typing in your account password each time?

    -Dave

  • mickael
    mickael
    Community Member
    Options

    Hey @Dave_1P

    Thanks for taking time to answer.

    Yes, I have biometric support enabled.

    My use case is simple, I replaced some secrets in env variables in my dotfiles with calls to op cli. For example, the SendGrid Auth API key can be stored in an ENV variable: https://docs.sendgrid.com/ui/account-and-settings/api-keys

    But I guess, regardings 1password auth restrictions, I have to change the way to access that info. Hopefully, this is a script I manage personally, so I will embed the call to op directly in it.

    But my question was more general, on the adequate way to replace ENV vars that store secrets with refereces to 1password entries.