OnePassword CLI over Connect

Hey there sshipway - I think I can help with some of your questions!

It seems to be read-only - no way to save a secret from the commandline?

Yes - Connect only exposes read operations to access secrets. If would like to perform write operations in CICD environments, we do have a service account feature coming. The feature will allow provisioning of service account tokens that can be set to perform most CLI commands, including creating and editing items. Stay tuned!

No way to extract file attachments from secrets

The most recent versions of the CLI and Connect server allow fetching file attachments from items, whether they are Document items or file fields.

The syntax to reference a Document or file field would be: op://<vault>/<item>/[<section>/]<fileName>

If such syntax does not work, please let us know and we can begin a bug investigation on our end.

No way to search for secrets

No, unfortunately even naive commands like op item list seem to be blocked in Connect - I am interested in your use case for searching items in automated environments to get a better idea for any improvements we can make.

It seems to be unable to retrieve secrets with ':' or '@' in their name, even if these are URL-encoded?

Are you using op read with a secret reference? This is a validation in the secrets reference syntax. Using URL encoding on such chars, or allowing to escape them by preceding such chars with a backslash may be a good way to address items containing those chars in their names, and we will look into it.

For now, you can use the op item get command instead, eg. op item get "my:item @ AZDO" --fields="mySection.myField" --format=json --vault="My Vault".
The command will return a JSON object of the field, and the value key must be extracted with a tool such as jq. It is a bit of a roundabout way to get a field’s value - but hopefully it suits your use case for now.