Forum Discussion

integralist's avatar
integralist
New Contributor
4 months ago
Solved

Why does the 1P CLI not access the local 1P store?

👋 I have a shell script with lots of "secret references"... export EXAMPLE1_API_KEY=$(op read "op://<VAULT_NAME>/<ENTRY_NAME>/<SECTION_NAME>/<FIELD_NAME>") export EXAMPLE2_API_KEY=$(op read "op:/...
CLI
  • integralist's avatar
    integralist
    13 days ago

    Thanks theo​ I didn't realise that `op inject` did a bulk fetch. That actually means I can completely drop my other work-around in favour of doing this...

    In a `~/.localrc` I have:

    export EXAMPLE_API_KEY={{ op://VaultName/SecretName/SectionName/TokenName }}
export ANOTHER_API_KEY={{ op://VaultName/SecretName/SectionName/TokenName }}

    I can then source via `op inject` from my `~/.zshrc`:

    # Configuration you don't want as part of your main .zshrc
# For me, this is a template file that includes 1Password secret references.
# Meaning, I need to source the file via `op inject` so I can interpolate my secrets.
#
if [ -f "$HOME/.localrc" ]; then
	if command -v op >/dev/null; then
		op signin --account my.1password.com
		source <(op inject -i $HOME/.localrc)
	fi
fi

    This loads much faster now, even when I open a new shell instance I just get a single OS popup asking me to authorize the shell to access 1Password (and I don't need my password as it has that already and so it just needs me to press a button, which I'm fine with -- see screenshot).

     

integralist's avatar
integralist
New Contributor
15 days ago

For anyone interested, this is the approach I'm taking now...

⚠️ Be sure this is what you want to do. Understand the code and do not blindly copy/paste.

https://github.com/Integralist/dotfiles/blob/main/.config/zsh/lazy_op.zsh

So instead of:

export EXAMPLE_API_KEY=$(op read "op://<VAULT_NAME>/<ENTRY_NAME>/<SECTION_NAME>/<FIELD_NAME>")

I use:

lazy_op EXAMPLE_API_KEY "op://<VAULT_NAME>/<ENTRY_NAME>/<SECTION_NAME>/<FIELD_NAME>"

The secrets are loaded the first time the shell is loaded if they don't exist in a local file that looks like this:

FOO_EXAMPLE_API_KEY=some_secret
BAR_EXAMPLE_API_KEY=some_other_secret

The file is stored in my temp directory as I don't care if the file gets cleaned up. This is just to improve the performance generally (as I work 8 hours a day in the terminal and am constantly spinning up new shell instances).

The script (lazy_op.zsh) automatically deletes the temp cache file every hour anyway as a precaution (as I don't want that file to exist forever, and I'm OK with once an hour having to go back to the remote 1P server to get the secrets).

Scott_1P's avatar
Scott_1P
Icon for 1Password Team rank1Password Team
14 days ago

integralist​ Clever! Glad you found something that worked well for you. Thanks for sharing! :)