Can I use CLI 2.0 on external machines (like Raspberry Pi)?

I think we're (almost) all caught up, haha! Please do let us know if you require our attention on any particular topic out of those that you have opened.

Best,
Horia

Not specific to this topic…

(See other posts)

Glad this got sorted out! Is there anything else we can help with here, XIII?

Luckily I only tried 2 tokens for 1 vault so far, so no charges yet.

Was hoping I could eventually use a unique token for every device (using a single vault), but that's no longer possible with this correction... 😢 (having more than 3 devices)

Hey XIII

My initial statement about Connect credits was incorrect, and I just wanted to make a correction.

I'm confused about the pricing: does 1 token for 1 vault count as 1 of the 3 free credits? (I subscribe to 1Password for Families)

This is based on the total number of vaults that all active tokens have access to.

This means that multiple tokens that access the same vault add up, which in my previous statement was not the case.
So here's my correction of the examples I provided:

• 3 access tokens that access 1 vault -> 1 credit 3 credits
• 3 access tokens, 1 for vault A, 2 for vault B -> 2 credits 3 credits
• 3 access tokens for 3 different vaults -> 3 credits
• 1 access token that can access 3 vaults -> 3 credits
• 2 access tokens, 1 can access vaults A and B, 1 only vault B -> 2 credits 3 credits
• 2 access tokens, 1 can access vaults A and B, 1 vaults B and C -> 3 credits 4 credits

Thank you! I'm going to experiment a bit more... Fun stuff!

Hey XIII ,

Just following up with the answers to your original questions about Connect:

Should the 1password-credentials.json file be permanently saved on my Pi, because it is used in the YAML template?

1password-credentials.json with the standard docker-compose file, should always be there, because it is mounted as a volume. Alternatively, you could copy the file in the containers, instead of mounting it as a volume, and then you'd only need it when starting up Connect.

Is this safe?

I think this doc about https://developer.1password.com/docs/connect/connect-security/ can answer this one.

I'm confused about the pricing: does 1 token for 1 vault count as 1 of the 3 free credits? (I subscribe to 1Password for Families)

The credits represent the number of vaults that are accessed with Secrets Automation.
Here are a couple of examples:

• 3 access tokens that access 1 vault -> 1 credit
• 3 access tokens, 1 for vault A, 2 for vault B -> 2 credits
• 3 access tokens for 3 different vaults -> 3 credits
• 1 access token that can access 3 vaults -> 3 credits
• 2 access tokens, 1 can access vaults A and B, 1 only vault B -> 2 credits
• 2 access tokens, 1 can access vaults A and B, 1 vaults B and C -> 3 credits

What's the best practice for storing the Automation Access Token on the Pi?

I personally always store them as environment variables, only within the session where I make Connect requests (i.e. I never put it in my profile, to have it exported globally). However, I don't think we have ever given exact guidelines towards good practices here, and I've always only used Connect for testing purposes, so ymmv.

Maybe I misunderstand, but wouldn't that defeat the entire purpose?

You are right, and this is the reason why we don't endorse this method of signing in.

Can you please answer my previous questions?

Absolutely, I actually pinged some colleagues that are more familiar with Connect to help answer those earlier so please hang tight!

Once the account has already been has manually added to the device via op account add, then: eval $(echo | op signin --account ) would work.

Maybe I misunderstand, but wouldn't that defeat the entire purpose?

Instead of the password of one specific service I would now have to store the key to my kingdom (1Password master password) on the Pi?

Additionally I like the fact that I can limit access to a very small subset of credentials when using Connect. And it is fun to learn more about this too...

Can you please answer my previous questions?

It works when manually signing in and then executing a Node.js script, on the command line (which is nice!), but (as expected) not when running the script as a service.

Before you dive in to Connect, note that it is possible to "script" a manual signin command non-interactively as well.

Once the account has already been has manually added to the device via op account add, then: eval $(echo <password> | op signin --account <shorthand>) would work.