Feature Request: Search SSH keys by public key
We manage multiple servers utilizing web-based administration panels. My use case: Logging into the server administration panel and seeing users having an SSH key configured, I would like to find the corresponding 1Password SSH-Key entry by searching for the public key. I tested this in the macOS 1Passwor application (1Password for Mac 8.10.75 (81075001)) where this does not work. Cannot say for different OS / app combinations.24Views0likes0CommentsCLI key rotation for team members
Hi there, I was looking for a solution on how to decrease the work load on rotating AWS CLI keys and distributing the individual keys to the team members. I know that AWS identity center could solve this but this has some dependencies on our side to get there. Now here is what was searching for but did not find a solution: I want to distribute a new CLI key to a developer, sure I can create 25 vaults, for each developer one and place the new key into such a vault, but this is not scalable. Ultimately I have one vault and for each developer the CLI key. I would replace existing key and secret with the new one, when it is about time to rotate. The advantage I see here, that the developer would not even change her/his workflow since the item id would remain the same and would be able to keep on using the same item id in the IDE. But maybe I missed something how to solve this but I was not finding any solution when searching for it. Looking forward to understand how others are solving it!53Views0likes1Comment1Password secrets injector tries to conceal every random string in logs
Environment Details Secret Injector Version: 1.0.2 1Password CLI Version: 2.23.0 Kubernetes Version: 1.32.2 Problem? So I am using the 1password secrets injector to inject secrets on runtime when the pod gets created. Now in the service container logs, I see a lot of <concealed by 1password> on random strings which are not actually secrets. For example. "receivedAt":"20<concealed by 1Password>-03-24T07:53:33.644Z" sentAt":"20<concealed by 1Password>-03-24T07:53:33.140Z" "timestamp":"20<concealed by 1Password>-03-24T07:53:26.830Z" These strings are just dates and they don't need to be concealed by 1password but they are getting concealed. I am not sure what kind of pattern matching the injector is doing to conceal the strings but it is doing it all wrong. So after some time of these log statements, I see the following error and the pod restarts or go into error state. 20<concealed by 1Password>fatal error: concurrent map read and map write goroutine 2875 [running]: go.1password.io/op/op-cli/command/subprocess/masking.matches.add(...) /op/op-cli/command/subprocess/masking/matcher.go:14 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).addMatch(0xc000196930, 0x138e65, 0x2) /op/op-cli/command/subprocess/masking/stream.go:50 +0xb5 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).Write(0xc000196930, {0xc000534000, 0x244, 0x8000}) /op/op-cli/command/subprocess/masking/stream.go:32 +0x108 io.copyBuffer({0x12a3d60, 0xc000196930}, {0x12a2560, 0xc0000a09a0}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:431 +0x1de io.Copy(...) /usr/local/go/src/io/io.go:388 os.genericWriteTo(0xc00006aa60?, {0x12a3d60, 0xc000196930}) /usr/local/go/src/os/file.go:269 +0x58 os.(*File).WriteTo(0xc00006aa60, {0x12a3d60, 0xc000196930}) /usr/local/go/src/os/file.go:247 +0x9c io.copyBuffer({0x12a3d60, 0xc000196930}, {0x12a25c0, 0xc00006aa60}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:411 +0x9d io.Copy(...) /usr/local/go/src/io/io.go:388 os/exec.(*Cmd).writerDescriptor.func1() /usr/local/go/src/os/exec/exec.go:580 +0x34 os/exec.(*Cmd).Start.func2(0xc000416f98?) /usr/local/go/src/os/exec/exec.go:733 +0x2c created by os/exec.(*Cmd).Start in goroutine 1 /usr/local/go/src/os/exec/exec.go:732 +0x9ab goroutine 1 [syscall, 605 minutes]: syscall.Syscall6(0xf7, 0x1, 0x29, 0xc000477768, 0x1000004, 0x0, 0x0) /usr/local/go/src/syscall/syscall_linux.go:91 +0x39 os.(*Process).blockUntilWaitable(0xc0004e64b0) /usr/local/go/src/os/wait_waitid.go:32 +0x76 os.(*Process).wait(0xc0004e64b0) /usr/local/go/src/os/exec_unix.go:22 +0x25 os.(*Process).Wait(...) /usr/local/go/src/os/exec.go:134 os/exec.(*Cmd).Wait(0xc0001d2300) /usr/local/go/src/os/exec/exec.go:906 +0x45 go.1password.io/op/op-cli/command/subprocess.Run({0x12b5db8, 0x1ae34a0}, {0x7ffdbd552edf?, 0x0?}, {0xc0002db9d0?, 0xc0001b79a8?, 0x0?}, {0xc0000ad808, 0x72, 0x72}, ...) /op/op-cli/command/subprocess/subprocess.go:70 +0x666 go.1password.io/op/op-cli/command.(*runCommand).Run(0xc00025ab00) /op/op-cli/command/run.go:154 +0x39f go.1password.io/op/op-cli/command.Bind.func3(0xc00030b808?, {0xc0002db980?, 0x3?, 0x4?}) /op/op-cli/command/command.go:71 +0x47 github.com/spf13/cobra.(*Command).execute(0xc00030b808, {0xc0002db940, 0x4, 0x4}) /op/vendor/github.com/spf13/cobra/command.go:983 +0xaca github.com/spf13/cobra.(*Command).ExecuteC(0x1a72ec0) /op/vendor/github.com/spf13/cobra/command.go:1115 +0x3ff go.1password.io/op/op-cli/command.Execute() /op/op-cli/command/root.go:340 +0x65 main.main() /op/op-cli/main.go:15 +0x30 goroutine 32 [IO wait, 605 minutes]: internal/poll.runtime_pollWait(0x7a9329e81568, 0x72) /usr/local/go/src/runtime/netpoll.go:345 +0x85 internal/poll.(*pollDesc).wait(0xc0003c2700?, 0xc000398000?, 0x0) /usr/local/go/src/internal/poll/fd_poll_runtime.go:84 +0x27 internal/poll.(*pollDesc).waitRead(...) /usr/local/go/src/internal/poll/fd_poll_runtime.go:89 internal/poll.(*FD).Read(0xc0003c2700, {0xc000398000, 0x1000, 0x1000}) /usr/local/go/src/internal/poll/fd_unix.go:164 +0x27a net.(*netFD).Read(0xc0003c2700, {0xc000398000?, 0xf00040?, 0xc0000bdc88?}) /usr/local/go/src/net/fd_posix.go:55 +0x25 net.(*conn).Read(0xc00006a350, {0xc000398000?, 0xc0001fbad0?, 0xc0000bdc88?}) /usr/local/go/src/net/net.go:185 +0x45 bufio.(*Reader).Read(0xc0003be3c0, {0xc0003234d0, 0x1, 0xc0000bdd68?}) /usr/local/go/src/bufio/bufio.go:241 +0x197 io.ReadAtLeast({0x12a3380, 0xc0003be3c0}, {0xc0003234d0, 0x1, 0x9}, 0x1) /usr/local/go/src/io/io.go:335 +0x90 io.ReadFull(...) /usr/local/go/src/io/io.go:354 encoding/gob.decodeUintReader({0x12a3380, 0xc0003be3c0}, {0xc0003234d0, 0x9, 0x9}) /usr/local/go/src/encoding/gob/decode.go:116 +0x51 encoding/gob.(*Decoder).recvMessage(0xc000382bd0) /usr/local/go/src/encoding/gob/decoder.go:84 +0x33 encoding/gob.(*Decoder).decodeTypeSequence(0xc000382bd0, 0x0) /usr/local/go/src/encoding/gob/decoder.go:150 +0x47 encoding/gob.(*Decoder).DecodeValue(0xc000382bd0, {0xedbf20?, 0xc0004e3440?, 0xc000037008?}) /usr/local/go/src/encoding/gob/decoder.go:229 +0x16e encoding/gob.(*Decoder).Decode(0xc000382bd0, {0xedbf20?, 0xc0004e3440?}) /usr/local/go/src/encoding/gob/decoder.go:206 +0x12f net/rpc.(*gobClientCodec).ReadResponseHeader(0xf68920?, 0xecf6a0?) /usr/local/go/src/net/rpc/client.go:228 +0x25 net/rpc.(*Client).input(0xc0003be480) /usr/local/go/src/net/rpc/client.go:109 +0x9f created by net/rpc.NewClientWithCodec in goroutine 1 /usr/local/go/src/net/rpc/client.go:206 +0xb6 goroutine 2873 [runnable]: sync.(*Mutex).lockSlow(0xc000196990) /usr/local/go/src/sync/mutex.go:117 +0x27f sync.(*Mutex).Lock(...) /usr/local/go/src/sync/mutex.go:90 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).flush(0xc000196930, 0xc00059ef48?) /op/op-cli/command/subprocess/masking/stream.go:61 +0x6d go.1password.io/op/op-cli/command/subprocess/masking.(*Masker).Start(0xc0004dc040) /op/op-cli/command/subprocess/masking/masker.go:100 +0xc9 created by go.1password.io/op/op-cli/command/subprocess.addMasker in goroutine 1 /op/op-cli/command/subprocess/subprocess.go:145 +0x56c goroutine 2874 [IO wait, 605 minutes]: internal/poll.runtime_pollWait(0x7a9329e81470, 0x72) /usr/local/go/src/runtime/netpoll.go:345 +0x85 internal/poll.(*pollDesc).wait(0xc0000ca6c0?, 0xc00052c000?, 0x1) /usr/local/go/src/internal/poll/fd_poll_runtime.go:84 +0x27 internal/poll.(*pollDesc).waitRead(...) /usr/local/go/src/internal/poll/fd_poll_runtime.go:89 internal/poll.(*FD).Read(0xc0000ca6c0, {0xc00052c000, 0x8000, 0x8000}) /usr/local/go/src/internal/poll/fd_unix.go:164 +0x27a os.(*File).read(...) /usr/local/go/src/os/file_posix.go:29 os.(*File).Read(0xc00006aa48, {0xc00052c000?, 0xeffcc0?, 0xf7d901?}) /usr/local/go/src/os/file.go:118 +0x52 io.copyBuffer({0x12a3d60, 0xc0001968c0}, {0x12a2560, 0xc0000a0990}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:429 +0x191 io.Copy(...) /usr/local/go/src/io/io.go:388 os.genericWriteTo(0xc00006aa48?, {0x12a3d60, 0xc0001968c0}) /usr/local/go/src/os/file.go:269 +0x58 os.(*File).WriteTo(0xc00006aa48, {0x12a3d60, 0xc0001968c0}) /usr/local/go/src/os/file.go:247 +0x9c io.copyBuffer({0x12a3d60, 0xc0001968c0}, {0x12a25c0, 0xc00006aa48}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:411 +0x9d io.Copy(...) /usr/local/go/src/io/io.go:388 os/exec.(*Cmd).writerDescriptor.func1() /usr/local/go/src/os/exec/exec.go:580 +0x34 os/exec.(*Cmd).Start.func2(0xc0005aef98?) /usr/local/go/src/os/exec/exec.go:733 +0x2c created by os/exec.(*Cmd).Start in goroutine 1 /usr/local/go/src/os/exec/exec.go:732 +0x9ab goroutine 2876 [runnable]: os/signal.signal_recv() /usr/local/go/src/runtime/sigqueue.go:152 +0x29 os/signal.loop() /usr/local/go/src/os/signal/signal_unix.go:23 +0x13 created by os/signal.Notify.func1.1 in goroutine 1 /usr/local/go/src/os/signal/signal.go:151 +0x1f Now I am stuck on this and not sure what to do. Any help would be great appreciated.48Views0likes3Comments1password tries to conceal every random string in logs
Environment Details Secret Injector Version: 1.0.2 Password CLI Version: 2.23.0 Kubernetes Version: 1.32.2 Problem? So I am using the 1password secrets injector to inject secrets on runtime when the pod gets created. Now in the service container logs, I see a lot of <concealed by 1password> on random strings which are not actually secrets. For example. "receivedAt":"20<concealed by 1Password>-03-24T07:53:33.644Z" sentAt":"20<concealed by 1Password>-03-24T07:53:33.140Z" "timestamp":"20<concealed by 1Password>-03-24T07:53:26.830Z" These strings are just dates and they don't need to be concealed by 1password but they are getting concealed. I am not sure what kind of pattern matching the injector is doing to conceal the strings but it is doing it all wrong. So after some time of these log statements, I see the following error and the pod restarts or go into error state. 20<concealed by 1Password>fatal error: concurrent map read and map write goroutine 2875 [running]: go.1password.io/op/op-cli/command/subprocess/masking.matches.add(...) /op/op-cli/command/subprocess/masking/matcher.go:14 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).addMatch(0xc000196930, 0x138e65, 0x2) /op/op-cli/command/subprocess/masking/stream.go:50 +0xb5 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).Write(0xc000196930, {0xc000534000, 0x244, 0x8000}) /op/op-cli/command/subprocess/masking/stream.go:32 +0x108 io.copyBuffer({0x12a3d60, 0xc000196930}, {0x12a2560, 0xc0000a09a0}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:431 +0x1de io.Copy(...) /usr/local/go/src/io/io.go:388 os.genericWriteTo(0xc00006aa60?, {0x12a3d60, 0xc000196930}) /usr/local/go/src/os/file.go:269 +0x58 os.(*File).WriteTo(0xc00006aa60, {0x12a3d60, 0xc000196930}) /usr/local/go/src/os/file.go:247 +0x9c io.copyBuffer({0x12a3d60, 0xc000196930}, {0x12a25c0, 0xc00006aa60}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:411 +0x9d io.Copy(...) /usr/local/go/src/io/io.go:388 os/exec.(*Cmd).writerDescriptor.func1() /usr/local/go/src/os/exec/exec.go:580 +0x34 os/exec.(*Cmd).Start.func2(0xc000416f98?) /usr/local/go/src/os/exec/exec.go:733 +0x2c created by os/exec.(*Cmd).Start in goroutine 1 /usr/local/go/src/os/exec/exec.go:732 +0x9ab goroutine 1 [syscall, 605 minutes]: syscall.Syscall6(0xf7, 0x1, 0x29, 0xc000477768, 0x1000004, 0x0, 0x0) /usr/local/go/src/syscall/syscall_linux.go:91 +0x39 os.(*Process).blockUntilWaitable(0xc0004e64b0) /usr/local/go/src/os/wait_waitid.go:32 +0x76 os.(*Process).wait(0xc0004e64b0) /usr/local/go/src/os/exec_unix.go:22 +0x25 os.(*Process).Wait(...) /usr/local/go/src/os/exec.go:134 os/exec.(*Cmd).Wait(0xc0001d2300) /usr/local/go/src/os/exec/exec.go:906 +0x45 go.1password.io/op/op-cli/command/subprocess.Run({0x12b5db8, 0x1ae34a0}, {0x7ffdbd552edf?, 0x0?}, {0xc0002db9d0?, 0xc0001b79a8?, 0x0?}, {0xc0000ad808, 0x72, 0x72}, ...) /op/op-cli/command/subprocess/subprocess.go:70 +0x666 go.1password.io/op/op-cli/command.(*runCommand).Run(0xc00025ab00) /op/op-cli/command/run.go:154 +0x39f go.1password.io/op/op-cli/command.Bind.func3(0xc00030b808?, {0xc0002db980?, 0x3?, 0x4?}) /op/op-cli/command/command.go:71 +0x47 github.com/spf13/cobra.(*Command).execute(0xc00030b808, {0xc0002db940, 0x4, 0x4}) /op/vendor/github.com/spf13/cobra/command.go:983 +0xaca github.com/spf13/cobra.(*Command).ExecuteC(0x1a72ec0) /op/vendor/github.com/spf13/cobra/command.go:1115 +0x3ff go.1password.io/op/op-cli/command.Execute() /op/op-cli/command/root.go:340 +0x65 main.main() /op/op-cli/main.go:15 +0x30 goroutine 32 [IO wait, 605 minutes]: internal/poll.runtime_pollWait(0x7a9329e81568, 0x72) /usr/local/go/src/runtime/netpoll.go:345 +0x85 internal/poll.(*pollDesc).wait(0xc0003c2700?, 0xc000398000?, 0x0) /usr/local/go/src/internal/poll/fd_poll_runtime.go:84 +0x27 internal/poll.(*pollDesc).waitRead(...) /usr/local/go/src/internal/poll/fd_poll_runtime.go:89 internal/poll.(*FD).Read(0xc0003c2700, {0xc000398000, 0x1000, 0x1000}) /usr/local/go/src/internal/poll/fd_unix.go:164 +0x27a net.(*netFD).Read(0xc0003c2700, {0xc000398000?, 0xf00040?, 0xc0000bdc88?}) /usr/local/go/src/net/fd_posix.go:55 +0x25 net.(*conn).Read(0xc00006a350, {0xc000398000?, 0xc0001fbad0?, 0xc0000bdc88?}) /usr/local/go/src/net/net.go:185 +0x45 bufio.(*Reader).Read(0xc0003be3c0, {0xc0003234d0, 0x1, 0xc0000bdd68?}) /usr/local/go/src/bufio/bufio.go:241 +0x197 io.ReadAtLeast({0x12a3380, 0xc0003be3c0}, {0xc0003234d0, 0x1, 0x9}, 0x1) /usr/local/go/src/io/io.go:335 +0x90 io.ReadFull(...) /usr/local/go/src/io/io.go:354 encoding/gob.decodeUintReader({0x12a3380, 0xc0003be3c0}, {0xc0003234d0, 0x9, 0x9}) /usr/local/go/src/encoding/gob/decode.go:116 +0x51 encoding/gob.(*Decoder).recvMessage(0xc000382bd0) /usr/local/go/src/encoding/gob/decoder.go:84 +0x33 encoding/gob.(*Decoder).decodeTypeSequence(0xc000382bd0, 0x0) /usr/local/go/src/encoding/gob/decoder.go:150 +0x47 encoding/gob.(*Decoder).DecodeValue(0xc000382bd0, {0xedbf20?, 0xc0004e3440?, 0xc000037008?}) /usr/local/go/src/encoding/gob/decoder.go:229 +0x16e encoding/gob.(*Decoder).Decode(0xc000382bd0, {0xedbf20?, 0xc0004e3440?}) /usr/local/go/src/encoding/gob/decoder.go:206 +0x12f net/rpc.(*gobClientCodec).ReadResponseHeader(0xf68920?, 0xecf6a0?) /usr/local/go/src/net/rpc/client.go:228 +0x25 net/rpc.(*Client).input(0xc0003be480) /usr/local/go/src/net/rpc/client.go:109 +0x9f created by net/rpc.NewClientWithCodec in goroutine 1 /usr/local/go/src/net/rpc/client.go:206 +0xb6 goroutine 2873 [runnable]: sync.(*Mutex).lockSlow(0xc000196990) /usr/local/go/src/sync/mutex.go:117 +0x27f sync.(*Mutex).Lock(...) /usr/local/go/src/sync/mutex.go:90 go.1password.io/op/op-cli/command/subprocess/masking.(*stream).flush(0xc000196930, 0xc00059ef48?) /op/op-cli/command/subprocess/masking/stream.go:61 +0x6d go.1password.io/op/op-cli/command/subprocess/masking.(*Masker).Start(0xc0004dc040) /op/op-cli/command/subprocess/masking/masker.go:100 +0xc9 created by go.1password.io/op/op-cli/command/subprocess.addMasker in goroutine 1 /op/op-cli/command/subprocess/subprocess.go:145 +0x56c goroutine 2874 [IO wait, 605 minutes]: internal/poll.runtime_pollWait(0x7a9329e81470, 0x72) /usr/local/go/src/runtime/netpoll.go:345 +0x85 internal/poll.(*pollDesc).wait(0xc0000ca6c0?, 0xc00052c000?, 0x1) /usr/local/go/src/internal/poll/fd_poll_runtime.go:84 +0x27 internal/poll.(*pollDesc).waitRead(...) /usr/local/go/src/internal/poll/fd_poll_runtime.go:89 internal/poll.(*FD).Read(0xc0000ca6c0, {0xc00052c000, 0x8000, 0x8000}) /usr/local/go/src/internal/poll/fd_unix.go:164 +0x27a os.(*File).read(...) /usr/local/go/src/os/file_posix.go:29 os.(*File).Read(0xc00006aa48, {0xc00052c000?, 0xeffcc0?, 0xf7d901?}) /usr/local/go/src/os/file.go:118 +0x52 io.copyBuffer({0x12a3d60, 0xc0001968c0}, {0x12a2560, 0xc0000a0990}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:429 +0x191 io.Copy(...) /usr/local/go/src/io/io.go:388 os.genericWriteTo(0xc00006aa48?, {0x12a3d60, 0xc0001968c0}) /usr/local/go/src/os/file.go:269 +0x58 os.(*File).WriteTo(0xc00006aa48, {0x12a3d60, 0xc0001968c0}) /usr/local/go/src/os/file.go:247 +0x9c io.copyBuffer({0x12a3d60, 0xc0001968c0}, {0x12a25c0, 0xc00006aa48}, {0x0, 0x0, 0x0}) /usr/local/go/src/io/io.go:411 +0x9d io.Copy(...) /usr/local/go/src/io/io.go:388 os/exec.(*Cmd).writerDescriptor.func1() /usr/local/go/src/os/exec/exec.go:580 +0x34 os/exec.(*Cmd).Start.func2(0xc0005aef98?) /usr/local/go/src/os/exec/exec.go:733 +0x2c created by os/exec.(*Cmd).Start in goroutine 1 /usr/local/go/src/os/exec/exec.go:732 +0x9ab goroutine 2876 [runnable]: os/signal.signal_recv() /usr/local/go/src/runtime/sigqueue.go:152 +0x29 os/signal.loop() /usr/local/go/src/os/signal/signal_unix.go:23 +0x13 created by os/signal.Notify.func1.1 in goroutine 1 /usr/local/go/src/os/signal/signal.go:151 +0x1f41Views0likes1Commentconnect server - connection refused
I attempted to deploy connect server but it didn't work below are the context input: op item get --format json --vault my_vault_name my_item_title response: [ERROR] 2025/03/14 05:03:37 could not retrieve item ‘my_vault_name/my_item_title: Get "http://localhost:8080/v1/vaults?filter=title+eq+%22my_vault_name%22": dial tcp [::1]:8080: connect: connection refused what have I done I installed locally follow instruction on getting start page I installed via helm chart I already got 1password-credentials.json file locally I already set environment variable OP_CONNECT_TOKEN, OP_CONNECT_HOST I also set environment variables OP_SESSION, OP_HTTP_PORT, OP_LOG_LEVEL I also tried with API heartbeat but also get connection refused info on environment MacOS: 15.3.2 chip M2 ARM64 1Password version: 1Password for Mac 8.10.64 1Password CLI version: 2.30.3 kubenetes: using colima, runtime containerd + k3s pods are up and running (both connect-api and connect-sync) In my profile on http://1password.com, it said “Your Connect server hasn’t authenticated with 1Password yet.” helm status give this response NAME: connect LAST DEPLOYED: Fri Mar 14 01:13:28 2025 NAMESPACE: default STATUS: deployed REVISION: 1 NOTES: ** Please be patient while the chart is being deployed ** 1Password Connect is being deployed to Kubernetes. More information about 1Password Connect can be found at https://support.1password.com/secrets-automation/ it look like I missed last “authentication step” but I couldn’t figure out Thank you47Views0likes0CommentsHow does the k8s operator restart deployments?
I don't see in the documentation anywhere but I'd like to know how the operator restarts deployments. My main concern is that if a secret is updated, a deployment will hard-restart and possibly interrupt an operation mid-request. Is there a way to configure how it restarts deployments, with a custom shutdown command that can be handled by the service properly, finish it's current request and then restart nicley?93Views0likes0CommentsClarification about private keys for passkeys
Hey there, I was doing some reading about passkeys and 1Password and started wondering: does 1Password ever actually store passkey private keys on the device's TPM or Secure Enclave? Or does it only use the cloud-based vault and sync the private keys to the current device as needed, using some local storage as a cache such as Indexed DB (encrypted)? This is within the example context of using the 1Password Chrome extension on a MacBook without the desktop app installed. Reason I'm confused is that some cloud-sync passkey providers such as Apple seem to do both the 1) device-bound Secure Enclave storage AND 2) 'cloud vault' equivalent to sync across devices. I'm only confused because in some 1Password docs/threads I've seen people say that the private key is stored on device while in others I've seen the opposite said. Also, is there a difference in the way the private key is handled if you are just using the extension vs extension + desktop app? Thanks so much for your time65Views0likes0CommentsSuccessful authentication locally, 403 when executed on server.
When using the one password python library, I get the error "authentication error: http error: unexpected http status: 403 Forbidden" when running my code on a server or google colab, but it works fine when I run it on my laptop, even though the same credentials are used. Any idea about what might be going wrong? Here is the (slightly modified) code snippet: from onepassword.client import Client import asyncio import os async def get_mfa_code(): ONEPASSWORD_TOKEN = os.environ['ONEPASSWORD_TOKEN'] vault_cred = os.environ['vault_cred'] client = await Client.authenticate(auth=ONEPASSWORD_TOKEN, integration_name="My Integration Name", integration_version="v1.0.0") # Retrieve credentials from 1Password username = await client.secrets.resolve(f"{vault_cred}/username") password = await client.secrets.resolve(f"{vault_cred}/password") mfa_code = await client.secrets.resolve(f"{vault_cred}/mfa_code?attribute=otp") return username, password, mfa_code asyncio.run(get_mfa_code()) import nest_asyncio nest_asyncio.apply() asyncio.run(get_mfa_code())Solved36Views0likes1CommentCannot connect connect-server to 1password from k8s
Hello. I have a problem with running 1Password operator in k8s cluster. Onepassword-connector does not connect to the server at all. First I had problems with onepassword-credentials.json being fetched by the connector-api and connector-sync containers if they were declared as: env: - name: OP_SESSION valueFrom: secretKeyRef: name: op-credentials key: 1password-credentials.json So I passed them via volumes / volumeMounts and defined the variable like this: volumes: - name: credentials secret: secretName: op-credentials (...) env: - name: OP_SESSION value: /home/opuser/.config/1password-credentials.json volumeMounts: - mountPath: /home/opuser/.config name: credentials readOnly: true Here I put my code to make it clear how I create the deployment: Gitlab Unfortunately I still can't connect to the server, and on the page: https://my.1password.com/developer-tools/infrastructure-secrets/connect/{connect_id} There is no information about the connection of my connect server, it only says "Not yet deployed" Neither the connect-api container nor the connect-sync inside the onepassword-connect pod log any errors. Only errors I have are for operator and OnePasswordItem, which is: 2025-02-17T20:31:08Z ERROR Reconciler error {"controller": "onepassworditem", "controllerGroup": "onepassword.com", "controllerKind": "OnePasswordItem", "OnePasswordItem": {"name":"example","namespace":"onepassword"}, "namespace": "onepassword", "name": "example", "reconcileID": "a1ba0a9c-7388-454e-9ce6-074cb6621e5c", "error": "Failed to retrieve item: Get \"http://onepassword-connect:8080/v1/vaults?filter=title+eq+%22Development%22\": net/http: invalid header field value for \"Authorization\""} sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:329 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:266 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2 /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:227 Could I ask for help in finding the problem? MarPi8266Views0likes0Comments