It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Is it possible for 1Password CLI running on WSL to connect with 1Password hosted on Windows?
Right now I can access 1Password on my WSL Debian installation using the CLI. But I have to enter my master password even when Windows is authenticated. I was just curious if it's possible to connect the two (a-la the SSH agent forwarding magic outlined here - https://1password.community/discussion/128023/ssh-agent-on-windows-subsystem-for-linux) 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided
CLI Offline Mode
Hi team & community 👋 I know this was posted years back but I am wondering if the team has any appetite to allow for loading secrets from the CLI without internet access? Considering we can use the 1Password Desktop app offline I don't see why the CLI can't have the same functionality. Happy to discuss this in more detail to help this become a reality. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided
CLI not talking to 1Password desktop
Hi folks, I'm running into some issues when I run op commands, even after I uninstall and re-install both the CLI and 1Password desktop binaries, as well as checking/unchecking the "Integrate with 1Password CLI" option in the desktop app. Any help troubleshooting would be greatly appreciated: $ op item get test_item --vault test_vault --fields label=password [ERROR] 2024/11/04 15:43:52 error initializing client: connecting to desktop app: received unexpected response from 1Password app. Please make sure 1Password CLI and the 1Password app are up-to-date. 1Password Version: 8.10.50 Extension Version: 2.30.1 OS Version: Ubuntu 24.04.1 LTS Browser: Not Provided
CLI hangs when requesting items
the cli had been working without issues for a while but about a day ago it began to indefinitely hang when fetching an item. When I run: op item get XXX --otp --debug I get: 9:35AM | DEBUG | Session delegation enabled 9:35AM | DEBUG | NM request: NmRequestAccounts 9:35AM | DEBUG | NM response: Success 9:35AM | DEBUG | NM request: NmRequestAccounts 9:35AM | DEBUG | NM response: Success 9:35AM | DEBUG | account not signed in, filter=XXXX latest_signin_user=XXXXXXXXXX 9:35AM | DEBUG | not signed in reason: session file not found 9:35AM | DEBUG | NM request: NmRequestAccounts 9:35AM | DEBUG | NM response: Success 9:35AM | DEBUG | NM request: NmRequestAuthorization 9:35AM | DEBUG | NM response: Success 9:35AM | DEBUG | NM request: NmRequestAccounts 9:35AM | DEBUG | NM response: Success 9:35AM | DEBUG | NM request: NmRequestDelegatedSession and it just hangs there. Any idea of what could be wrong here? 1Password Version: 8.10.3 (81003012) Extension Version: 2.15.0 OS Version: macOS 13.2.1 (22D68) Browser:_ zsh
Feature Request: First-Class Support for Dev Containers and 'op' CLI
Feature Request: First-Class Support for Dev Containers and 'op' CLI Summary We request 1Password to add native support for Development Containers (Dev Containers) and improve integration of the 'op' CLI within these environments. Background Dev Containers are an increasingly popular approach to standardizing development environments across teams. They allow developers to use a consistent, reproducible setup by running all development tooling inside Docker containers. This approach has gained significant traction, especially with the adoption of Visual Studio Code's Dev Containers extension. Current Limitations The 1Password CLI ('op') does not function seamlessly within Dev Containers. Authorization for 'op' inside a Dev Container is treated as a separate computer, complicating the user experience. Existing solutions like 1Password Connect and Service Accounts don't address this use case adequately. Requested Features Native Dev Container Support: Develop an official integration that allows the 'op' CLI to work seamlessly within Dev Containers. Authorization Continuity: Implement a mechanism that allows the 'op' CLI in a Dev Container to utilize the authorization from the host machine, similar to how Git and SSH work in Dev Containers. Official Documentation: Provide comprehensive guides and best practices for using 1Password within Dev Container environments. Use Case Developers using Dev Containers should be able to: - Access their 1Password vault securely from within the container - Use the 'op' CLI for tasks like secret injection into environment variables - Maintain a seamless workflow without repeatedly authorizing or switching contexts Benefits Improved Developer Experience: Streamline the use of 1Password in modern development workflows. Enhanced Security: Encourage the use of secrets management in containerized development environments. Consistency: Align 1Password's capabilities with other tools that already support Dev Containers. Technical Considerations The solution should work with various Dev Container implementations, focusing on the Visual Studio Code extension as a primary target. Consider leveraging existing authorization mechanisms used by other tools in Dev Containers (e.g., SSH agent forwarding). Ensure that the security model maintains 1Password's high standards while enabling this new use case. Conclusion Adding first-class support for Dev Containers would significantly enhance 1Password's value proposition for development teams and individual developers embracing modern workflows. We believe this feature aligns well with 1Password's commitment to security and user experience in the development ecosystem. We appreciate your consideration of this feature request and look forward to the possibility of seeing it implemented in future releases. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not ProvidedAWS plugin MFA fails intermittently
When using the AWS plugin with MFA and profiles, about one in every 5 times it fails with this error: aws sts get-caller-identity --profile=profile [ERROR] 2024/05/06 12:44:59 could not run plugin AWS CLI: failed to provision credentials, encountered error(s): operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: xx-xx-xx-xx-xx, api error AccessDenied: Cannot call GetSessionToken with session credentials Most of the time I can then run op plugin run --debug --cache=false -- aws ls s3 to correct the situation. New 1Password customer so all the newest Apps, it happens on Arch Linux and MacOS. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Headless Linux CLI unable to login.
To whom this might concern, Hi! I have a headless Linux box which I've installed 1password CLI technie@maya:~$ uname -a Linux maya 6.2.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 16:27:29 UTC 2 x86_64 x86_64 x86_64 GNU/Linux technie@maya:~$ op --version 2.20.0 I've tried to login, but I've gotten a "[ERROR] 2023/09/03 03:24:22 MFA Type Not Supported" error instead. The log as follows: --- start of log --- technie@maya:~$ op vault list No accounts configured for use with 1Password CLI. You can either: - Connect 1Password CLI with the 1Password app to use the accounts you've added to the app and sign in using the 1Password app. Learn more: https://developer.1password.com/docs/cli/get-started/#sign-in for details. - Add an account manually with 'op account add' and sign in by entering your password on the command line. See 'op account add --help' for details. - Use 1Password CLI with a Connect instance by setting the 'OP_CONNECT_HOST' and 'OP_CONNECT_TOKEN' environment variables to your Connect host and token, respectively. Learn more: https://developer.1password.com/docs/connect - Authenticate using a 1Password service account by setting the 'OP_SERVICE_ACCOUNT_TOKEN' environment variable to your service account token. Learn more: https://developer.1password.com/docs/service-accounts/ Do you want to add an account manually now? [Y/n] Enter your sign-in address (example.1password.com): https://my.1password.com/ Enter the email address for your account on my.1password.com/: mailto:onepassword@m.technie.com Enter the Secret Key for mailto:onepassword@m.technie.com on my.1password.com: A3-XXX-4LKEE Enter the password for mailto:onepassword@m.technie.com at my.1password.com: [ERROR] 2023/09/03 03:24:22 MFA Type Not Supported --- end of log --- I have setup security keys as my 2FA for 1password. Would that be a problem? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided[ZSH] Plugin aliases break completion for the command run by the plugin
I have ZSH set up to introspect aliases and run plugin functions based on what the alias is calling. This means that an alias set up for gh : alias gh='op plugin run -- gh' will actually trigger the _op_plugin_run completion function, not that for gh itself. I have worked around this with this in my .zshrc (I don't really want to edit the completion file as I'll definitely forget to keep it updated): ``` function __my_op_plugin_run() { _op_plugin_run for ((i = 2; i < CURRENT; i++)); do if [[ ${words} == -- ]]; then shift $i words ((CURRENT -= i)) _normal return fi done } function load_op_completion() { completion_function="$(op completion zsh)" sed -E 's/^( +)_op_plugin_run/\1my_op_plugin_run/' <<<"${completion_function}" } eval "$(__load_op_completion)" compdef _op op ``` In lay-terms, this: 1. Checks if the previous word is -- 2. Takes -- and everything prior to it out of the scope of the completion 3. completes as normal from the first argument after -- . This is the pattern used by https://github.com/99designs/aws-vault/blob/master/contrib/completions/zsh/aws-vault.zsh This is also possible in https://github.com/99designs/aws-vault/blob/master/contrib/completions/bash/aws-vault.bash and https://github.com/99designs/aws-vault/blob/master/contrib/completions/fish/aws-vault.fish It would be really helpful if the CLI team could update the completion function generated by op completion $SHELL to trigger this reset, so we don't lose shell functionality by using op plugin s! 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser:_ Not Provided
1Password CLI Biometric Authentication in Dev Container
I like to develop using https://code.visualstudio.com/docs/devcontainers/containers on my MacBook, and I love to be able to load secrets dynamically with the 1Password CLI. Using the 1Password CLI works great when I run commands directly on my mac. However when I setup a DevContainer to develop inside of, the 1Password CLI is not connecting. 1Password SSH biometric authentication still works, but I assume that is because the DevContainer is able to connect to the ssh socket. Can I mount the 1Password CLI socket into the DevContainer so that when I run "op" commands it is able to connect to my host machines 1Password Desktop App? Where is the 1Password CLI socket so that I might mount it? I should also note that the DevContainer Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm 1Password Version: 1Password for Mac 8.10.36 (81036049) Extension Version: CLI Version 2.29.0 OS Version: macOS 14.5 Browser: Not Provided
"op read" is pretty slow, ~700ms per invocation
Hi all, I've noticed that op read is pretty slow, taking on the order of 700ms per invocation. Here's a benchmark using the https://github.com/sharkdp/hyperfine tool: % hyperfine --warmup 3 "op read op://private/op-test/password" Benchmark 1: op read op://private/op-test/password Time (mean ± σ): 717.2 ms ± 46.6 ms [User: 118.7 ms, System: 39.6 ms] Range (min … max): 640.8 ms … 782.3 ms 10 runs Reading a non-password field is about the same: % hyperfine --warmup 3 "op read op://private/op-test/username" Benchmark 1: op read op://private/op-test/username Time (mean ± σ): 733.2 ms ± 52.1 ms [User: 124.0 ms, System: 41.4 ms] Range (min … max): 680.8 ms … 815.0 ms 10 runs And using --cache does not seem to change anything: % hyperfine --warmup 3 "op --cache read op://private/op-test/password" Benchmark 1: op --cache read op://private/op-test/password Time (mean ± σ): 718.8 ms ± 50.3 ms [User: 119.6 ms, System: 39.6 ms] Range (min … max): 653.7 ms … 806.7 ms 10 runs This is on a 16-inch MacBook Pro with an M3 Max on Sonoma 14.4.1. I've installed op via Homebrew. I'm not sure what the expectation is, but this seems much slower than I expected. 1Password Version: 8.10.30 Extension Version: Not Provided OS Version: macOS 14.4.1 Browser: Not Provided