Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
op inject: how to escape resolved secrets?
Hi there! 👋
I have a question regarding the https://developer.1password.com/docs/cli/secrets-template-syntax/ in templated config files. Does the template syntax allow for escaping the resolved secrets or applying filters to them?
For example (I wouldn't actually handle auth this way), suppose I have a templated JSON file config.json.tpl
{
"Credentials": {
"Username": "{{ op://vault/item/section/username }}",
"Password": "{{ op://vault/item/section/password }}",
"TOTP": {{ op://vault/item/section/totp?attribute=otp }}
}
}
and I render the template with op inject --in-file config.json.tpl. How can I JSON-escape the result of resolving {{ op://vault/item/section/password }} in case it contains " or \?
I would prefer to use op inject instead of op run as some apps don't allow for secrets to be configured via environment variables. Also, there are some https://blog.diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/ associated with doing so. Also, I would prefer not to replace op inject with multiple invocations of op read because I'd prefer to avoid multiple op invocations to get all needed secrets. Finally, I could use op item get <item> --vault <vault> --format json and transform the output with jq to get what I need without worrying about escaping anything… but then I'd need write a jq filter for each invocation of op item get (a single 1Password item might not contain all needed secrets).
IMO it'd be more user-friendly to be able to write a template similar to this:
{
"Credentials": {
"Username": {{ op://vault/item/section/username | json_encode }},
"Password": {{ op://vault/item/section/password | json_encode }},
"TOTP": {{ op://vault/item/section/totp?attribute=otp | int }}
}
}
(https://tera.netlify.app/docs/#json-encode and https://tera.netlify.app/docs/#int are example filters from the Tera template engine for Rust.)
This way I wouldn't need to worry about " or \ in the password and could ensure the TOTP was an integer without leading zeroes if I needed that for some reason (this is a contrived example).
What are your thoughts on this?
Thanks!
1Password Version: 8.10.1
Extension Version: 2.8.1
OS Version: macOS 13.2.1
Browser:_ Chrome
