Pragmatism in the real world

Using the 1Password CLI in a script

I’m currently writing a script that notarises a macOS CLI app which needs to access a password. Rather than put it in an environment variable, I thought I’d use the 1Password CLI. This is the first time I’ve used it, so these are my notes.

The 1Password CLI tool is call op. I installed it via Homebrew with:

brew install 1password-cli

Sign in

You need to sign in.

op signin

As I have multiple accounts as various clients have shared access to specific vaults, it asks me which account I want to sign in. To save this step, you can set the OP_ACCOUNT environment variable:

export OP_ACCOUNT=my.1password.com

Alternatively, use the --account parameter.

You get a dialog box where for me, I use TouchID to sign in.

op signin is idempotent so is a no-op if the Terminal is already signed in.

Access data

There are multiple ways to retrieve the data from a 1Password item.

op item get

Use op item get "<item>" --field "<fieldname>" to get a specific field. e.g

op item get "Apple App Notarisation" --field "username"

The <item> can be the name of the item or its id. e.g. something like dajka2z5l57m4p43s6bapd3eo4

Note, that for a password, you also need to pass in --reveal.

As I’m writing a script, I assign to a variable:

APPLE_ID=$(op item get "Apple App Notarisation" --field username)
APP_SPECIFIC_PASSWORD=$(op item get "Apple App Notarisation" --field password --reveal)
TEAM_ID=$(op item get "Apple App Notarisation" --field team_id)

Alternatively, you can get back multiple fields in one go by providing a list of comma separated fields:

FIELDS=$(op item get "Apple App Notarisation" --fields username,password,team_id --reveal)
IFS=',' read -r APPLE_ID APP_SPECIFIC_PASSWORD TEAM_ID <<< "$FIELDS"

op read

You can also use the read parameter which takes a URL-style path:

op read op://<vault>/<item>/<field> 

Use op vault list to view the list of vault names and you don't need --reveal for passwords.

For my case, I can use:

APPLE_ID=$(read "op://Private/Apple App Notarisation/username")
APP_SPECIFIC_PASSWORD=$(op read "op://Private/Apple App Notarisation/password")
TEAM_ID=$(op read "op://Private/Apple App Notarisation/team_id")

Format as JSON

You can also get the entire item in JSON using:

op item get "Apple App Notarisation" --format json

Then use jq to extract what you need. e.g to print the username and password you could do:

op item get "Apple App Notarisation" --format json | jq -r '
  .fields[] | select(.label=="username" or .label=="password") | "\(.label): \(.value)"
'

That's it

That's it. Very simple to put into a script and keep my password secure.

Thoughts? Leave a reply

Your email address will not be published. Required fields are marked *