It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Masked Email API - integrate my own masked email generation service
I love the idea of masked emails and I briefly trialled FastMail in order to get that behaviour built-in to 1Password, but I ended up choosing not to continue with FM (for reasons). So, because I own a throwaway domain (let's call it flubber.fish), instead I hacked together a quick web page that I can hit which will generate a gibberish email (i.e. mailto:d09uiy2@flubber.fish) which I can copy and paste into 1Password and any account I have and I get the same effect (with some aliasing/mail rules in the background to redirect it to me, obviously). However, this feels a bit frustrating - getting out of the 1Password flow in order to get this new address each time - and I wish there was a better way. So I'm wondering if you could somehow provide an API spec and hooks which power-users like me could use to integrate our own services into. It might also make it possible for third-parties to offer integrations with Google etc. utilising their . and + aliasing techniques (although arguably less "masked" than random words/characters as it still contains your root address but I digress...). Obviously you'd need to solve some security concerns around that and integration authors might need to jump through some hoops. But if the hoops aren't too big and too many then I'd love to have 1Password using my code to auto-generate masked emails on my own domain for me. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Generate limited time share link through API
Sorry ahead of time if this was asked or shown somewhere. I have searched the site and the internet for a way to create a temporary link that shares a password to guests (non 1password users) but I could not find anything on the site. Is there a way to do that? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Referrer: forum-search:https://1password.community/search?Search=Generate%20limited%20time%20share%20link%20through%20API
CLI Slow Performance
I have the 1Password desktop app installed and up to date on my macBook Pro, the `op` CLI is also installed, up to date, and working properly. All expected CLI queries work but they are surprisingly slow. After a bunch of trial and error, it seems that it is making a round-trip online as part of every single CLI query. I added the --debug flag and I can see cache hits, but the round trip online is still occurring. Disabling the network interface causes all queries to fail. Is it possible to get the 1Password CLI working fully offline to avoid all of this unnecessary round-trip business? Surely with the desktop app installed and CLI integration turned on, there has to be a way to make efficient (and offline) use of my 1Password vaults. Otherwise automation tasks that require secrets are simply too cumbersome to handle with 1Password, and I will require a secondary solution. And in that case, I may as well give up on 1Password.[new tool] varlock: schema-driven env vars
TL;DR: We've launched something new, it's called varlock. It's like DMNO but simpler and easier to get started. It's built on top of the .env files you're already using. It makes them safer to use and share. We'd love your feedback. >> 🧙♂️https://varlock.dev --- We've been heads down working on the next evolution of secrets and configuration tooling building on what we've learned so far creating DMNO. If you've used DMNO, varlock will feel familiar. But instead of writing schemas in TypeScript, we've created a lightweight DSL that sits on top of your .env files. We think this allows for much simpler onboarding (and offboarding!). And because it's all based on decorators in comments, it should play nice with your existing tools. For any tools that would like to make use of this new syntax, we've also created an open specification, we call it @env-spec, and there's an active RFC if you would like to get involved. >> RFC: https://github.com/dmno-dev/varlock/discussions/17 —- So why varlock? Varlock is a suite of tools built to improve the experience of working with environment variables, both in terms of security and developer experience. It provides: Validation - catch errors in development instead of production Type-safety - improved DX via detailed IntelliSense Security - secret redaction in stdout and global console methods Environments - Compose defaults, environment-specific .env files, and local git-ignored overrides Secrets - use any third party provider that has a CLI to load values What next? We're just getting started and we have big plans to expand the feature set of varlock. Coming soon you'll see: Local override encryption via a desktop app using biometrics Shared team vaults with trustless cloud storage GitHub App to track config changes with audit trails Deeper integration with providers like 1Password If you've read this far, thank you. Please check out varlock and let us know what you think by replying to this post, or joining us on Discord. Tools like this are only as good as the community that shapes them. >> 🧙♂️https://varlock.dev Thanks ✌️
Automated Connect server token rotation
I've been evaluating whether I can use 1Password Connect for configuration/secrets management for my company's services. 1Password Connect looks very appealing for several reasons: No rate limits. No usage limits. As a 1Password customer, we have unlimited access to this offering. Uniform UI. We already use 1Password for managing passwords and various secrets used during local development. It would be very nice to use the same interface to manage lifecycle of configurations and secrets that are used by production services. Pretty straightforward REST API and SDKs in languages that we use allows getting the latest config/secret values at runtime. I am not very interested in using 1Password Connect Operator (or using k8s Secrets in general) since this provides secrets to the service at deploy time. I appreciate the ability to automatically redeploy the service when the underlying 1Password item changes but this works well only for stateless services. I prefer getting configurations/secrets at runtime over an API. I started experimenting with this offering and working out how to integrate it into our systems. The docs recommend creating a Connect server token for every service which makes a lot of sense. And the docs strongly suggest setting an expiration on this token which also makes sense. After all, it's a static credential not tied to the identity of the service that uses it; so frequent rotation should reduce the risk of a leaked token causing damage. But the issue is that I don't see a way to automate this rotation given the permission model that is in use today. Is it possible for either a Service Account or a Connect client to manage connect tokens (create/delete tokens)? I was thinking of integrating 1Password connect as follows: Our deployment pipeline is high trust. It would use either Service Account or Connect client credentials that expire infrequently. It's OK for a human to ensure this credential doesn't expire and rotate it when necessary. When a service deployment is kicked off, the deployment pipeline creates a new Connect token. The pipeline ensures that the newly created Connect token is accessible to the service as an environment variable. Once the service is deployed and is considered healthy, the old Connect token (used by the previous deployment of the service) is deleted. In this setup, the deployment pipeline can create the new Connect token with a relatively short expiry and we can assume that every service gets redeployed more often than this expiration period. I think this setup is pretty reasonable but I don't see a way of giving the deployment pipeline access to create/delete Connect tokens. I tried using a Service Account to create a Connect token via the CLI and got 403. I see that it's possible to give a group access to manage Secrets Automation, but I don't think it's possible to make a Service Account a member of some group. Correct me if I am wrong. I also tried using a Connect client to create a new Connect token and this didn't work: "op connect token create" doesn't work with Connect. https://developer.1password.com/docs/connect/manage-connect of your docs mentions: "You can use 1Password.com or the https://developer.1password.com/docs/connect/api-reference/ to: ... https://developer.1password.com/docs/connect/manage-connect#create-a-token and https://developer.1password.com/docs/connect/manage-connect#revoke-a-token Connect server tokens." but I think it's a typo. As things stand today, Connect server token rotation can only be done by a human user which doesn't scale beyond a handful of services. If I were to go down that path, I would have to set expiration to a longer period which affects security. This makes 1Password Connect a lot less appealing. Please let me know if I am missing something and if there is a way to automate token rotation.
Retrieve SSH private key with Terraform Provider
Hi! I am currently trying to use an "onepassword_item" to retrieve a SSH private key in a terraform script. I am using the CLI in the provider config. Getting the complete item with the cli works and I can see the private key. However it does not seem to be contained in the data item. Provider config: provider "onepassword" { account = var.op_account_id } Getting the data with data "onepassword_item" "ssh_key" { vault = "<value_id>" uuid = "<item_id>" } and then using it in a resource with ... "sshPrivateKey" = "${data.onepassword_item.repository_deploy_key.private_key}" ... I also checked the tf state and it also does not contain the private key: ``` tf state show module.test.data.onepassword_item.ssh_key data "onepassword_item" "ssh_key" { category = "ssh_key" id = " " note_value = (sensitive value) public_key = " " title = "My SSH Key" uuid = " " vault = " " } ``` Am I doing something wrong? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
Secrets injector not working - variable value is the op path
Hi, I am currently testing secrets injector with connect server by following this https://developer.1password.com/docs/k8s/k8s-injector/?workflow-type=connect. Both have been deployed in the k8s. I tried deploying this demo app apiVersion: apps/v1 kind: Deployment metadata: name: demo-app spec: selector: matchLabels: app: demo-app template: metadata: annotations: operator.1password.io/inject: demo-app labels: app: demo-app spec: containers: - name: demo-app image: busybox ports: - containerPort: 5000 command: ["sleep"] args: ["3600"] env: - name: OP_CONNECT_HOST value: 'http://onepassword-connect.onepassword.svc.cluster.local:8080' - name: OP_CONNECT_TOKEN valueFrom: secretKeyRef: key: token name: connect-token - name: TEST_ONEPASSWORD value: op://my-vault/test_creds/password connect logs ``` {"log_message":"(I) GET /v1/vaults","timestamp":"2024-02-22T11:51:56.978455348Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}} {"log_message":"(I) GET /v1/vaults completed (200: OK) in 12ms","timestamp":"2024-02-22T11:51:56.990803288Z","level":3,"scope":{"request_id":"039a4d07-90ea-4161-a4a8-c9b814588e3d"}} {"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22","timestamp":"2024-02-22T11:51:56.992460837Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}} {"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items?filter=title+eq+%22test_creds%22 completed (200: OK) in 10ms","timestamp":"2024-02-22T11:51:57.00252325Z","level":3,"scope":{"request_id":"154b9a54-351d-4839-a84e-3f406c73f505"}} {"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi","timestamp":"2024-02-22T11:51:57.003679559Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}} {"log_message":"(I) GET /v1/vaults/trkbdmaja5jf7gblvdmzhtfgsa/items/5dlsknuwntvpokkkevuu475cpi completed (200: OK) in 8ms","timestamp":"2024-02-22T11:51:57.012355276Z","level":3,"scope":{"request_id":"c11d761f-0781-4a44-8a5f-f40261fd693f"}} ``` injector logs ``` I0222 11:51:55.401251 1 webhook.go:180] Checking if secret injection is needed for /v1, Kind=Pod at namespace default I0222 11:51:55.401426 1 webhook.go:98] Pod at namespace default. Secret injection status: Secret Injection Enabled:true I0222 11:51:55.401477 1 webhook.go:313] OP_SERVICE_ACCOUNT_TOKEN not provided I0222 11:51:55.401485 1 webhook.go:345] OP CLI will be used with Connect I0222 11:51:55.401545 1 webhook.go:287] AdmissionResponse: patch=[{"op":"add","path":"/spec/containers/0/volumeMounts","value":[{"name":"kube-api-access-tkfrs","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"},{"name":"op-bin","readOnly":true,"mountPath":"/op/bin/"}]},{"op":"replace","path":"/spec/containers/0/command","value":["/op/bin/op","run","--","sleep"]},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_NAME","value":"1Password Kubernetes Webhook"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_ID","value":"K8W"}},{"op":"add","path":"/spec/containers/0/env/-","value":{"name":"OP_INTEGRATION_BUILDNUMBER","value":"1000101"}},{"op":"add","path":"/spec/volumes/-","value":{"name":"op-bin","emptyDir":{"medium":"Memory"}}},{"op":"add","path":"/spec/initContainers","value":[{"name":"copy-op-bin","image":"1password/op:2","command":["sh","-c","cp /usr/local/bin/op /op/bin/"],"resources":{},"volumeMounts":[{"name":"op-bin","mountPath":"/op/bin/"}],"imagePullPolicy":"IfNotPresent"}]},{"op":"add","path":"/metadata/annotations","value":{"operator.1password.io/status":"injected"}}] I0222 11:51:55.401571 1 webhook.go:481] Ready to write response ... ``` when i check the pod env ``` $ kubectl exec -it demo-app-78d6b574d7-bxcd4 -- /bin/sh Defaulted container "demo-app" out of: demo-app, copy-op-bin (init) / # / # env | grep TEST TEST_ONEPASSWORD=op://my-vault/test_creds/password ``` What could be the issue here? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not ProvidedConnect Operator Reconciler error
Hello, We upgraded the helm chart for Connect server on our staging K8s cluster from version 1.7.1 to 1.14.0. Post upgrade, secrets are (as expected) still successfully created, however we see many pairs of info/error entries like below in the Connect Operator logs. 2024-02-06T21:02:35Z INFO Secret with name op-test and version 1 already exists 2024-02-06T21:02:35Z ERROR Reconciler error {"controller": "onepassworditem", "controllerGroup": "onepassword.com", "controllerKind": "OnePasswordItem", "OnePasswordItem": {"name":"op-test","namespace":"customer-ravenstaging1"}, "namespace": "customer-ravenstaging1", "name": "op-test", "reconcileID": "9221dafe-aed3-4374-98f3-676fa8ddbd7c", "error": "cannot update status: onepassworditems.onepassword.com \"op-test\" not found"} sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:329 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:274 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2 /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:235 Some research showed that the error might stem from the onepassworditems.onepassword.com CRD definition update that happened somewhere around version 1.8. We did update the CRD definition to include version 2 as shown in the attached file, however the Reconcile error still occurs. Can you please help in resolving this? We cannot proceed to upgrading our production cluster until this issue is resolved... Thanks in advance I. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not ProvidedCombine several secrets into another secret, or inherit secrets?
I currently use DOPPLER and the feature that I used constantantly is password inheritance I'll give you an example If, in production, I have the following secrets: MONGO_DATABASE = 'mongo' MONGO_USERNAME = 'user_one' MONGO_PASSWORD = 'production' MONGO_URI = mongodb://${MONGO_USERNAME}:${MONGO_PASSWORD}@prod_server.com:27017/?authMechanism=DEFAULT in the development environment I can do this: MONGO_DATABASE=${production.MONGO_DATABASE} etc... so, is there a way in 1Password to use variables in password fields to reference other password fields? Like DOPPLER ? 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided
