DEV Community

Emmanuel Odongo
Emmanuel Odongo

Posted on • Edited on • Originally published at odongo.pl

Reading Secrets With the 1Password CLI

I use 1Password as my password manager but didn't really see much need for the CLI that they provide until fairly recently. I'll go over a couple of use cases where the CLI has integrated really well into my workflow.

Keeping Dot Files Password-Free

I've been using aerc1 for a few weeks. When you add an email account to aerc, it saves the password in a configuration file (~/.config/aerc/accounts.conf for me), an example of which can be seen below:

[Fastmail]
source   = imaps://user%40fastmail.com:agvsbg8gd29ybgqh@imap.fastmail.com
outgoing = smtps://user%40fastmail.com:agvsbg8gd29ybgqh@imap.fastmail.com
Enter fullscreen mode Exit fullscreen mode

Having the password stored in plain text2 is less than ideal, even if it is on a device you own. Helpfully, aerc provides a way to specify an arbitrary command that can be executed to retrieve the password. To use the 1Password CLI, the accounts configuration file can be modified as follows:

[Fastmail]
source            = imaps://user%40fastmail.com@imap.fastmail.com
source-cred-cmd   = op read op://MyVault/Fastmail/aerc-password
outgoing          = smtps://user%40fastmail.com@imap.fastmail.com
outgoing-cred-cmd = op read op://MyVault/Fastmail/aerc-password
Enter fullscreen mode Exit fullscreen mode

The command we want executed is op read, and we pass it the URL3 of the secret to access. The next time aerc is launched, a TouchID prompt, or a prompt to Allow Access, will be presented as shown below:

Launching aerc with the 1Password CLI integration

Autofilling One-Time Passwords

As a publisher of npm packages, it's a good idea to enable 2FA on your npm account. This makes a leaked token with write-access less of a risk since no writes (such as publishing a new version of a package) can be performed without a valid OTP.

When publishing an npm package using npm publish, a prompt is shown in the terminal asking the user to type in the OTP. However, there is also an --otp flag we can make use of to provide the OTP upfront:

npm publish --otp $(op item get NPM --otp)
Enter fullscreen mode Exit fullscreen mode

This time we use the op item get command4, passing it the name of the item and the --otp flag. Upon execution, a TouchID prompt or an Allow Access prompt is presented, removing the need to manually type or paste the OTP. As an added convenience, the above command can be bound to a shell alias.

Publishing an npm package with the 1Password CLI integration

Footnotes

  1. aerc is a terminal-based email client. ↩︎

  2. This helpful URL scheme shows that the password is agvsbg8gd29ybgqh. ↩︎

  3. The URL takes the form:

    op://<vault>/<item>[/<section>]/<field>
    ↩︎
  4. Note that if we tried using the op read command:

    op read 'op://MyVault/NPM/Security/one-time password'

    instead of the current OTP being returned, we would get the reference URL used to generate the OTP:

    otpauth://totp/croccifixio?secret=AGVSBG8GD29YBGQHIGDVB2QGBMLNAHQ1&issuer=npm
    ↩︎

Top comments (0)