Using the 1Password CLI in a script
I’m currently writing a script that notarises a macOS CLI app which needs to access a password. Rather than put it in an environment variable, I thought I’d use the 1Password CLI. This is the first time I’ve used it, so these are my notes.
The 1Password CLI tool is call op. I installed it via Homebrew with:
brew install 1password-cli
Sign in
You need to sign in.
op signin
As I have multiple accounts as various clients have shared access to specific vaults, it asks me which account I want to sign in. To save this step, you can set the OP_ACCOUNT environment variable:
export OP_ACCOUNT=my.1password.com
Alternatively, use the --account parameter.
You get a dialog box where for me, I use TouchID to sign in.
op signin is idempotent so is a no-op if the Terminal is already signed in.
Access data
There are multiple ways to retrieve the data from a 1Password item.
op item get
Use op item get "<item>" --field "<fieldname>" to get a specific field. e.g
op item get "Apple App Notarisation" --field "username"
The <item> can be the name of the item or its id. e.g. something like dajka2z5l57m4p43s6bapd3eo4
Note, that for a password, you also need to pass in --reveal.
As I’m writing a script, I assign to a variable:
APPLE_ID=$(op item get "Apple App Notarisation" --field username) APP_SPECIFIC_PASSWORD=$(op item get "Apple App Notarisation" --field password --reveal) TEAM_ID=$(op item get "Apple App Notarisation" --field team_id)
Alternatively, you can get back multiple fields in one go by providing a list of comma separated fields:
FIELDS=$(op item get "Apple App Notarisation" --fields username,password,team_id --reveal) IFS=',' read -r APPLE_ID APP_SPECIFIC_PASSWORD TEAM_ID <<< "$FIELDS"
op read
You can also use the read parameter which takes a URL-style path:
op read op://<vault>/<item>/<field>
Use op vault list to view the list of vault names and you don't need --reveal for passwords.
For my case, I can use:
APPLE_ID=$(read "op://Private/Apple App Notarisation/username") APP_SPECIFIC_PASSWORD=$(op read "op://Private/Apple App Notarisation/password") TEAM_ID=$(op read "op://Private/Apple App Notarisation/team_id")
Format as JSON
You can also get the entire item in JSON using:
op item get "Apple App Notarisation" --format json
Then use jq to extract what you need. e.g to print the username and password you could do:
op item get "Apple App Notarisation" --format json | jq -r ' .fields[] | select(.label=="username" or .label=="password") | "\(.label): \(.value)" '
That's it
That's it. Very simple to put into a script and keep my password secure.