dev: 1Password cli only works online

Well, I’ve been having fun with developer tools for the past week, so documenting some of them before I descend (yet again!) into the depths of patent writing hell.

1Password CLI

Well, 1Password is making some great improvements as they evolve from an influential end user store you passwords into an enterprise developer focused system for managing all your credentials.

Since they are moving fast, the documentation is really hard to figure out as they are adding APIs, CLIs and other facilities at a breakneck speed. But here are some of the things to know:

  1. They have no less than five different ways of access 1Password information. This all works through which is confusing. There first thing is that they now have plugins. so if you do a op plugin list you get a list of things that work at the shell level to automatically insert credentials in. This is great for things like aws s3 ls if you are not already using AWS single sign on credentials. In general, these are great for less sophisticated cloud service like say Digital Ocean where you are always typing your password in with you do a doctl although I find all of the services like netlify, aws, gcloud that do this kind of authentication its a bit easier.
  2. op read op://vault/item/key this is the way to directly read from the 1Password vault. Note that this still requires 1Password to be online, it does not read cached credentials, which is a bit of a bummer. But, you can suck things like tokens out.
  3. op run -- command which is a lot like an .env thing, if you have a .env or export shell variables, it will replace the secret references dynamically.
  4. op inject .env -t .env.in this is a way to dynamically create a .env file (which you should not check in!) and get variables that way
  5. op item get item --field field which doesn’t require any transformations and is nice for entering shell variables.

The main confusing thing to me is that 1Password application that can run offline, but these require online authentication.

Also to debug this is pretty confusing as it is not clear where these log files live and it is something called Group Containers with a GUID in the name.:


Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/rCURRENT.log

Here you can figure out that the thing only works online. That means it is very slow for narrow band links. You have been warned.

Leave a Reply

Only people in my network can comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

I’m Rich & Co.

Welcome to Tongfamily, our cozy corner of the internet dedicated to all things technology and interesting. Here, we invite you to join us on a journey of tips, tricks, and traps. Let’s get geeky!

Let’s connect

Recent posts

Loading Mastodon feed…