Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

perhlom's avatar
perhlom
New Contributor
3 years ago

CLI keeps prompting for authentication

Hi, I'm trying to come up with the best way to use the CLI to load secrets into some dev/deploy scripts, and I can't figure out how to avoid 1Password prompting for authentication incessantly. I w...
CLI
perhlom's avatar
perhlom
New Contributor
3 years ago

After some investigation, this is what we understand.

In short, 1Password and Git Bash don't go well together. Everything works as expected in Windows Terminal and PowerShell, but not in Git Bash. As we understand, this is because Windows Terminal is authenticated as a process using Windows Hello, so "op signin --raw" doesn't return anything, because a token isn't used to authenticate at all, Windows Hello is authenticating the processes against each other.

But since Git Bash launches a new process for every command, this child process isn't authenticated with Windows Hello, causing it to re-prompt for Windows Hello authentication, which takes 3-5 seconds for every call.

One (unacceptable) solution is to disable Windows Hello for the whole 1Password installation. But then your whole use of 1Password is without Windows Hello.

The other option is to disable the CLI integration with the local 1Password installation, causing you to authenticate against the 1Password servers instead, but this invokes some new tricky issues:

Git Bash's terminal isn't able to get text output from any of the OP commands, so invoking e.g. "op account add" or "op signin" is completely non-interactive. If you can guess the output, you can type the right things, but adding accounts is difficult.

So the workflow would have to be that you do "op account add" in a Windows PowerShell, which is properly interactive. This involves entering your account email address, the --address (my.1password.com or similar), the secret key and the password. This adds the account to the CLI itself, making it also available in Git Bash afterwards.

So now it's possible to go to Git Bash and do "OP_TOKEN=$(op signin --raw)", and guessing whether op signin is asking you for a password. If it does, it appears to freeze, but if you enter the password, you get a token back. All subsequent bash calls should then be in the form of "op read --debug "op://Development/Dev Secrets/Demo Values/TESTKEY" --session ${OP_TOKEN}".

And now these calls are reasonably fast. I do need to figure out why any OP commands are non-interactive in Git Bash. It looks like 1Password is simply using another output pipe. Any help would be much appreciated.

The downside is no Windows Hello. You have to enter your password every time. So it's a good idea to load the credentials only in a launchpad script, export your credentials, and then run all your scripts without being asked again.