Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

danpr's avatar
danpr
Occasional Contributor
2 years ago

Retrieve shared item by CLI doesnt seem to work

The documentation here: https://developer.1password.com/docs/cli/reference/management-commands/item/#item-get suggest one possible way to get an item is by shareLink, which I imagine is the URL that ...
secrets management
danpr's avatar
danpr
Occasional Contributor
2 years ago

Hi @Michael_1P ,

Thanks for clarifying this! I didn't get an alert of your response (it seems that by default no email-notifications are sent for replies to topic created) otherwise I would have jumped on your offer to have a call immediately ;) Right now I have a call scheduled with your colleague Alex tomorrow, I hope we can clear up some things then.

For my use-case it would be fine to use a service account since this is just needed for somewhat infrequent events (spinning up new VMs). In my testing I also worked with a service account. However the issue is still that the CLI doesn't seem to support getting items by share-links, even though the documentation looks like it should.

I'm also fine if we can retrieve the item by share-link using the API directly. I've looked a bit into how the share page works, which just gets the item from your API, however the item details in the response are encoded. Give that the page itself has everything it needs to decode this information I should obviously be able to figure out how to do it given enough time and effort but it would of course be very helpful if I could get some pointers in the right direction for this ;)

Just a bit of background: what this would allow us to do is provision new VMs (or containers or whatever) without needing to store 1password credentials on that VM's filesystem. Current guides seem to rely doing just that but from my perspective that would not be much better than storing the secrets I'm trying to protect themselves on the FS, as those 1password credentials would allow access to those secrets (and possibly more) anyway. So from my perspective that set-up defeats the purpose.
If we could use share links then what we can do is this: When spinning up a new machine (or container or whatever), our provisioning process creates a one-time share link for that machines 1pwd credentials, and write that to the new FS image. Then when the machine spins up some parent/governor process can read the share-link and use it to retrieve the actual credentials, which it will keep in memory for when needed.
Worst thing that could happen in this scenario is that an attacked obtains (and uses) the share-link in the short window of time between creating it and the new machine starting up, which would be a really tricky attack to craft But even if that happens we will notice very quickly by the machine being unable to use the link, in which case we can act accordingly.

Thanks,

Daniel