[58] Signin scoped to specific vaults

Hi @dynamitenate ,

I'm Sadia, a Product Manager at 1Password, and have some news that may be interesting to you. I am looking for some developers and administrators that would be interested in chatting with me about a new feature our team has been working on: Service Accounts. Earlier this year, we introduced the CLI 2.0, where users can use “run” and “inject” commands to substitute secret references for secrets stored in 1Password vaults. With our new Service Account capabilities, organizations can use a separate non-user account to control and manage access to secrets without deploying additional services like Connect.

We are currently building out service accounts and want to understand your pain-points and experiences with secrets management, and gather some feedback, so we could deliver the best product for our customers.

If you are interested, please feel free to reach out to me at sadia.azmal@agilebits.com or sign-up for a 30 minute slot on Calendly. I look forward to hearing from you :)

Hey @dynamitenate ,

Thanks for providing us with the use case, we will definitely be considering specific vault access permissions when looking into the service accounts implementation!

Hey @"Horia.Culea_1P", thanks for the insight!

For clarity on my use case, I'm looking to convince my company to adopt 1Password for Business. We have various separate clients/projects, all with their own secrets to store. I believe this CLI tool would be especially useful for us, and a potential service accounts feature would help us avoid using a personal user's signin for an automated process.

However, something I could see my company asking is "whether the service accounts can be permissioned to only see the vaults they need to see". Ideally, we'd have a service account for each project, that can only see the secrets needed for that project. This would just reduce the risk that a service account grabs the secret for a different project on accident.

To word this as a formal user story, I would say...

As a developer, I would like to control which vaults a service account has access to, so that it's less likely that we make the service account grab the wrong secret on accident.

The vault travel mode would help achieve this, but I think it would only be able to work for one service account.

Thanks again!

Hey @dynamitenate, and thank you for trying 1Password CLI 2.0 beta.
Service accounts would definitely be a viable solution for your issue. As for the future availability of this feature, I am not currently aware if anything has been already decided, since we are still in the early stages of the project. If I am mistaken, maybe my colleagues could jump in to correct me.

The only possible solution, as I see it, at the moment, is using the CLI via 1Password Connect, and restricting the permission for the server/access token to the desired vaults. Unfortunately, this is a feature only available for business and teams accounts.
Can you let us know a bit more about your usecase? Would a feature such as https://developer.1password.com/docs/cli/reference/management-commands/vault#vault-edit be useful, in your case?
Thank you for the question, and keep the good feedback coming! We are here to listen and to help.

Best,
Horia