Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
How do I export only Vault and password metadata
We have a use case where we want to export the following fields:
- vault uid, vault name,
- password uid, password name
- Users assigned to vaults
We DONOT want to export the password in plaintext though.
We tried to use a serviceaccount to write a script that does this but we are not able to get permissions that give us metadata read and no access to all the passwords.
How do we archive this?
So I don't know if anyone will ever need to do this because after looking through various options, we found a way to get a onetime dump of information we needed using a token of a service account that has rights on all the vaults of interest and the following commands
export OP_SERVICE_ACCOUNT_TOKEN=<Service account token> op item list --format json| jq -r '["password_id","password_name","vault_id", "vault_name"], (.[] |[.id, .title, .vault."id", .vault."name"]) | @csv' > items.csvAnd then we uploaded the returned information into a datatable which we can use in rules and queries in Chronicle.
We then deleted the token and service account because it was too permissive
4 Replies
So I don't know if anyone will ever need to do this because after looking through various options, we found a way to get a onetime dump of information we needed using a token of a service account that has rights on all the vaults of interest and the following commands
export OP_SERVICE_ACCOUNT_TOKEN=<Service account token> op item list --format json| jq -r '["password_id","password_name","vault_id", "vault_name"], (.[] |[.id, .title, .vault."id", .vault."name"]) | @csv' > items.csvAnd then we uploaded the returned information into a datatable which we can use in rules and queries in Chronicle.
We then deleted the token and service account because it was too permissive
Thank you Dave.
So what we would like to achieve with this usecase is to monitor items we consider to be sensitive passwords to detect anomolous behaviour using logs being exported from 1password to Chronicle.
In the logs, only vault and Item UUIDS are available and we would like to match those to human readable names so our security analysts can know which teams to contact to verify seen suspicious activities against these sensitive items.
The analysts don't have access to all the 1password vaults.
- 1P_Dave
Moderator
Hello Anitta! 👋
Thank you for the question! It's not possible to selectively export that information using the 1Password app's export tool. The export tool is mostly meant to create an export of your login credentials, and other data, in case you decide to leave 1Password in the future and migrate to another password manager.
Depending on your needs, it sounds like the reporting tools in 1Password Business might fit your needs more: Create reports in 1Password Business
If the reporting tools don't work for your needs then can you tell me a little more about your use case?
-Dave
