Skip to main content
XIII
March 15, 2022
Question

Can I use CLI 2.0 on external machines (like Raspberry Pi)?

  • March 15, 2022
  • 17 replies
  • 643 views

Is it already possible to use op on external machines (instead of your development Mac/PC)?

If not, do you have a roadmap for that?

I'd love to use the 1Password CLI instead of dotenv for (Node.js based) services running on my Raspberry Pi!


1Password Version: 1Password CLI 2.0.0
Extension Version: n/a
OS Version: Raspberry Pi OS

17 replies

March 15, 2022

Does it support the arm build?

XIII
XIIIAuthor
March 15, 2022

PS: forgot to mention that I run these machine headless and I use SSH (and the 1Password SSH agent) to access them.

March 15, 2022

Hey @XIII ,

op will run on Raspberry Pi! You can install them over ssh with the curl and mv commands. If you need an example, we have a 1 liner script at the bottom of the linux .zip section in the https://developer.1password.com/docs/cli/get-started#install!

Hey @MatthewPackwoodJR,

Yes the arm build should work but please do not hesitate to let us know here if you run into any issues.

XIII
XIIIAuthor
March 15, 2022

op will run on Raspberry Pi! You can install them over ssh with the curl and mv commands

Planning to experiment with that.

But what about signing in?

It's a headless Pi with no Biometric unlock. Do I need Secret Automation or is that overkill for what I want?

(run Node.js scripts from systems services)

March 15, 2022

You can still sign in using a terminal "the old way" by entering your sign-in address and credentials, check out https://developer.1password.com/docs/cli/use-multiple-accounts#with-manual-sign-in on how to use op account add and op signin --account ACCOUNT.

Hope this fits your use case, but if not, let us know. Connect (Secrets Automation) may just be the way to go in that case.

XIII
XIIIAuthor
March 15, 2022

It works when manually signing in and then executing a Node.js script, on the command line (which is nice!), but (as expected) not when running the script as a service.

So I'm afraid I have to dive in to Connect...

XIII
XIIIAuthor
March 15, 2022

I read the documentation earlier today and was super confused, but I seem to have it running as a "proof of concept".

Never used Docker on my Pi before, so I have some things to investigate (like how to automatically start the 1Password containers at boot).

Some 1Password Connect specific questions (if I may post them here):
* Should the 1password-credentials.json file be permanently saved on my Pi, because it is used in the YAML template?
* Is this safe?
* I'm confused about the pricing: does 1 token for 1 vault count as 1 of the 3 free credits? (I subscribe to 1Password for Families)
* What's the best practice for storing the Automation Access Token on the Pi?

March 16, 2022

It works when manually signing in and then executing a Node.js script, on the command line (which is nice!), but (as expected) not when running the script as a service.

Before you dive in to Connect, note that it is possible to "script" a manual signin command non-interactively as well.

Once the account has already been has manually added to the device via op account add, then: eval $(echo <password> | op signin --account <shorthand>) would work.

XIII
XIIIAuthor
March 16, 2022

Once the account has already been has manually added to the device via op account add, then: eval $(echo | op signin --account ) would work.

Maybe I misunderstand, but wouldn't that defeat the entire purpose?

Instead of the password of one specific service I would now have to store the key to my kingdom (1Password master password) on the Pi?

Additionally I like the fact that I can limit access to a very small subset of credentials when using Connect. And it is fun to learn more about this too...

Can you please answer my previous questions?

March 16, 2022

Maybe I misunderstand, but wouldn't that defeat the entire purpose?

You are right, and this is the reason why we don't endorse this method of signing in.

Can you please answer my previous questions?

Absolutely, I actually pinged some colleagues that are more familiar with Connect to help answer those earlier so please hang tight!