Forum Discussion
1Password Environments Beta is awesome
Just wanted to drop some feedback after playing around with the new Environments Beta in 1Password. Honestly, I’m loving it so far. The local .env file mounting is just brilliant. Secrets are easy to access without having to run extra commands, but still secure – exactly what I want. Makes switching between machines seamless, too.
A couple of things I’d really like to see next:
1. CLI Integration - being able to create/edit/list environments and variables from the terminal would make this so much more useful, right now, having to click around in the desktop app is a bit of a pain for dev workflows.
2. More integrations: AWS Secrets Manager is a great start, but would love to see GCP and other major providers such as GitHub, etc. A plugin system for integrations would be awesome also to help cover more niche players like Modal.com
Overall, this is a huge step in the right direction for 1Password. Can’t wait to see where this goes next!
2 Replies
I just tried it out too and also find it pretty cool. Jumped on the forum to see if people are preferring it over the commands.
The positives:
- Easy to use and `.env` files "just work".
- Reduces attack surface to only `.env` files you're actively using.
- None of the quirks of running commands through `op run`.
The negatives:
- While it does reduce the attack surface, imo your secrets a lot more exposed compared to `op run`.
And that last point is the reason why I probably won't use Environments.
- `op run` limits your secret access to the command you ran it on (like only your dev server).
- Environments do not limit secret access, once you allow an `.env` to be readable, anything running on your system can now read those secrets.
I imagine that's "good enough" for most people, but having lost a key I'm a bit too paranoid to allow API keys outside the specific process I grant it to.
But, with that said I enjoyed trying it out, `op run` is a pain on monorepos. One thing that could be improved:
- If your env files have "Secret References", 1Pass Environments doesn't seem to handle those. It just imports the reference as the value of the env variable, I would've expected it to replace the reference with the value. Or even better if it could just "link" the env value to a field via "Secret Reference" that would reduce the redundancy of having API keys in both Environments and as separate API credential entries.
