CLI keeps prompting for authentication
Hi,
I'm trying to come up with the best way to use the CLI to load secrets into some dev/deploy scripts, and I can't figure out how to avoid 1Password prompting for authentication incessantly. I was expecting an authentication to stick at least a little bit, but two calls to "op read" back to back will have two authentication prompts back to back.
The main problem with the "op run" method is that you can't load credentials ad-hoc, but have to load all of them at the same time. That's a problem when different users have access to different things in a script. Everyone has access to certain development functions, but only some people have access to deployment functions. That makes it impossible to preload all credentials, because this will fail for everyone who doesn't have the Deployment vault shared to their account. So it's necessary to load credentials as needed, during the interactive script.
But "op read" is extremely user-hostile, and prompts for every single request. If I load 20 secrets at runtime, that's literally 20 authentication prompts, and 20 x 3-5 seconds of waiting. It's completely impossible to use "op read" for anything but a single credential. I'm struggling to understand why the "op read" command even exists.
Is there a way for CLI access to persist for a process? Then you could just authenticate on the first "op read", and every subsequent "op read", even for child processes, would just continue working.
And then is there a way to not have a 3-5 second delay on every single call of "op read"?
The only hack I can come up with is if non-deployment users still have a fake vault called "Deployment" filled with fake credentials that allow the script to be loaded even if they don't have a high-level vault shared with them. But then what when you have 5 or 10 areas of restricted access? Does every user need 9 fake vaults for every 1 real vault filled with fake credentials, just so that "op run" can work at all?
This is getting ugly, and I'm frankly a millimeter away from going back to Veracrypt volumes, which allows me to open and decrypt volumes at runtime, and have them automatically close again after some time. But those volumes are accessible to the whole system, which isn't good either.
Ideally, the CLI would:
- Authenticate on first access and stay connected.
- Read credentials in milliseconds, not seconds.
- Have permissions per-vault that allow the access to persist just for that vault.
- Be usable at runtime, and not requiring wrapping every bash script in "op run", which is some noisy syntax for what used to be clean. Every script now needs a "launcher" script just to not have to type that all the time.
I realize that there's this Connect thing that runs authentication containers. But that's a non-starter for us, because we have elaborate local Docker clusters for development that's managed by our scripts, and currently, all running containers are ours. It would be disruptive to have to tippy-toe around 1Password containers.
Is there really no way to simply have CLI access while a script is running without a the tax of repeated prompts and minute-long delays?
Per
1Password Version: 8.10.1
Extension Version: Not Provided
OS Version: Windows 11
Browser:_ Not Provided
