Forum Discussion

Backspaze's avatar
Backspaze
Dedicated Contributor
3 years ago

How to use service accounts and regular accounts in the same environment?

I noticed that you silently released Service Accounts little over a week ago in https://app-updates.agilebits.com/product_history/CLI2#v2180001 of 1Password CLI and naturally began testing it immedia...
CLI
Backspaze's avatar
Backspaze
Dedicated Contributor
3 years ago

Hey @"Horia.Culea_1P"

Thanks for the clarification.

I'm not quite sure about exactly how to perform the steps you mentioned, so I'm thinking out loud here.

First, I'm guessing I can add $Env:OP_SERVICE_ACCOUNT_TOKEN = "<your-service-account-token>" at the start of my script(s) and then reset it at the end of the script(s) with $Env:OP_SERVICE_ACCOUNT_TOKEN = "". But that would mean that every script I use this with will have my Service Account token included, and if any script goes astray that means anyone with access to the script will have access to my Service Account and everything it has access to.

Second, If I instead go with your example with an envvar with a different name, I'm guessing the set up is done by running the command like this $Env:OP_SERVICE_ACCOUNT_TOKEN_GLOBAL = "<your-service-account-token>" and then, at the beginning of my script(s) I'll have a command like $Env:OP_SERVICE_ACCOUNT_TOKEN = $Env:OP_SERVICE_ACCOUNT_TOKEN_GLOBAL and at the end of the script(s) I'll have $Env:OP_SERVICE_ACCOUNT_TOKEN = "". I tried this and it didn't work, so I'm probably using the wrong method...on to the...

...Third attempt after reading some more about environment variables in PowerShell. I ran PowerShell as admin and used the command [Environment]::SetEnvironmentVariable("OP_SERVICE_ACCOUNT_TOKEN_GLOBAL", "<your-service-account-token>", "User") to make the envvar available at user level. At the start of the script I then added $Env:OP_SERVICE_ACCOUNT_TOKEN = $Env:OP_SERVICE_ACCOUNT_TOKEN_GLOBAL and I also added op user get --me to see that it actually switches to the service account for the script session. When I open a new PowerShell window after this and run the script, it seems to work as intended. The Service Account remains logged in and authenticated for that session, but if I close the PowerShell window and open a new one, it returns to using my personal account. If I add $Env:OP_SERVICE_ACCOUNT_TOKEN = "" and op user get --me to the end of the script I can make it return to using my personal account within the same session.

Was my third attempt above what you had in mind or is there a better way to do this? Also do you have any more comments regarding my thoughts in the first paragraph about having the Service Account token in plain text in the script?