Forum Discussion

integralist's avatar
integralist
New Contributor
4 months ago
Solved

Why does the 1P CLI not access the local 1P store?

đź‘‹ I have a shell script with lots of "secret references"... export EXAMPLE1_API_KEY=$(op read "op://<VAULT_NAME>/<ENTRY_NAME>/<SECTION_NAME>/<FIELD_NAME>") export EXAMPLE2_API_KEY=$(op read "op:/...
CLI
  • integralist's avatar
    integralist
    13 days ago

    Thanks theo​ I didn't realise that `op inject` did a bulk fetch. That actually means I can completely drop my other work-around in favour of doing this...

    In a `~/.localrc` I have:

    export EXAMPLE_API_KEY={{ op://VaultName/SecretName/SectionName/TokenName }}
export ANOTHER_API_KEY={{ op://VaultName/SecretName/SectionName/TokenName }}

    I can then source via `op inject` from my `~/.zshrc`:

    # Configuration you don't want as part of your main .zshrc
# For me, this is a template file that includes 1Password secret references.
# Meaning, I need to source the file via `op inject` so I can interpolate my secrets.
#
if [ -f "$HOME/.localrc" ]; then
	if command -v op >/dev/null; then
		op signin --account my.1password.com
		source <(op inject -i $HOME/.localrc)
	fi
fi

    This loads much faster now, even when I open a new shell instance I just get a single OS popup asking me to authorize the shell to access 1Password (and I don't need my password as it has that already and so it just needs me to press a button, which I'm fine with -- see screenshot).

     

phildmno's avatar
phildmno
Occasional Contributor
4 months ago

As far as we've found building integrations with CLI/SDK/App at DMNO, the CLI will only use the local app for auth (like biometrics) and all the data fetching still happens remotely. We've had to work around this as well and would love if the CLI/SDKs could fetch from a local cache as well. 


  • integralist's avatar
    integralist
    New Contributor
    14 days ago

    👋 phildmno​ I've put my workaround below. I would be interested to know what y'all used as a workaround to this.

    • phildmno's avatar
      phildmno
      Occasional Contributor
      14 days ago

      theozero​ will know more about the specifics there

  • integralist's avatar
    integralist
    New Contributor
    15 days ago

    For anyone interested, this is the approach I'm taking now...

    ⚠️ Be sure this is what you want to do. Understand the code and do not blindly copy/paste.

    https://github.com/Integralist/dotfiles/blob/main/.config/zsh/lazy_op.zsh

    So instead of:

    export EXAMPLE_API_KEY=$(op read "op://<VAULT_NAME>/<ENTRY_NAME>/<SECTION_NAME>/<FIELD_NAME>")

    I use:

    lazy_op EXAMPLE_API_KEY "op://<VAULT_NAME>/<ENTRY_NAME>/<SECTION_NAME>/<FIELD_NAME>"

    The secrets are loaded the first time the shell is loaded if they don't exist in a local file that looks like this:

    FOO_EXAMPLE_API_KEY=some_secret
BAR_EXAMPLE_API_KEY=some_other_secret

    The file is stored in my temp directory as I don't care if the file gets cleaned up. This is just to improve the performance generally (as I work 8 hours a day in the terminal and am constantly spinning up new shell instances).

    The script (lazy_op.zsh) automatically deletes the temp cache file every hour anyway as a precaution (as I don't want that file to exist forever, and I'm OK with once an hour having to go back to the remote 1P server to get the secrets).

    • Scott_1P's avatar
      Scott_1P
      Icon for 1Password Team rank1Password Team
      14 days ago

      integralist​ Clever! Glad you found something that worked well for you. Thanks for sharing! :)