Adds op
- One Password CLI into your node_modules/.bin
with additional helper commands and interactive CLI to copy paste passwords into clipboard
NOTE: This is not the official 1-Password CLI tool repo, this is a wrapper
See https://support.1password.com/command-line/ for more information about op
Supported platforms:
- darwin
- linux
- windows
The library provides additional commands on top of op
CLI tool which you can find very useful:
$> npx -p node-op vault-checkout --help
Usage: vault-checkout [options]
Download one or more files from 1-Password vault to current directory
Options:
-v --vault <vault-name> vault to use
--force overwrite existing files (default: false)
-f --files <title> list of files to checkout
--verbosity <0|1|2> verbosity of stdout
-h, --help output usage information
Example:
npx -p node-op op signin ...
npx -p node-op vault-checkout -f secretFile.yaml -f serviceAccount.json -v my-vault
The above command will download secretFile.yaml
and serviceAccount.json
files from my-vault
to the current directory.
The CLI will exit with error if:
- we are not already authorized to 1-Password using
op signin
- files already exist
- there are no documents in the vault with title
secretFile.yaml
orserviceAccount.json
Files are checked out independently and in event of issues specific to a single file only where the rest of files can be downloaded successfully - the tool will print out which of those files failed.
$> npx -p node-op vault-checkin --help
Usage: vault-checkin [options]
Upload one or more files to 1-Password vault from current directory and trash old files with same name
Options:
-v --vault <vault-name> vault to use
--verbosity <0|1|2> verbosity of stdout
-f --files <title> list of files to checkin
-h, --help output usage information
For example, we could upload .prod.env
and service-account.json
files specific to our environment to a secure vault named service1
:
npx -p node-op vault-checkin -f .prod.env -f service-account.json -v service1
The CLI will exit with error if:
- we are not already authorized to 1-Password using
op signin
.prod.env
file doesn't exist- there are already multiple documents with title
.prod.env
in 1-Password
Otherwise, the command will attempt to upload all files specified, put previous versions of these files to the 1-Password trash (delete them) and then delete local files for security reasons.
For example, we could upload .prod.env
and service-account.json
files specific to our environment to a secure vault named service1
:
npx -p node-op vault-checkin -f .prod.env -f service-account.json -v service1
$> npx -p node-op vault-diff --help
Usage: vault-diff [options]
Compare one or more local checked-out files with their original 1-Password versions
Options:
-v --vault <vault-name> vault to use
-f --files <title> list of files to compare
--verbosity <0|1|2> verbosity of stdout
-h, --help output usage information
The command uses git diff
to compare local changes to the versions in the 1-Password vault allowing you to verify/review changes before checkin.
To pin particular version of op:
npm install node-op
or globally:
npm install -g node-op
after which 1-Password CLI tool should be available globally:
$> which op
/home/%USER%/.nvm/versions/node/v10.17.0/bin/op
During npm install
a script is executed which downloads and unpacks pinned version of op
into your node_modules/node-op/lib/binaries
folder.
The op
executable becomes available to be used through npm run
or yarn run
.
A GitHub Actions job checks for updates on official web sites and creates a PR to the GitHub repo to update the pinned version number, so new versions should be available to users in a reasonable time.
There is an official image on Docker Hub
https://hub.docker.com/r/1password/op
The difference from globally installed op
is that OP sessions generated by the image containers cannot be shared. Once container that generated the image is stopped/destroyed the session is not valid anymore, so multiple op
operations might require multiple sign-ins. Or you need to write a bash script to copy and run it inside the container. Which is good from security perspective - if container images are always destroyed and purged.
In addition to that there is no jq
CLI tool embedded which makes the docker image useful as a base image only.
NOTE: This is not official way of op
CLI tool installation, no guarantees.
We are making a basic precaution of verifying the server certificate domain (weak certificate pinning). Certificates are not pinned due to the fact that they change very frequently.
After the CLI is installed it is your responsobility what happens with it.
Read op
documentation. Make sure to logout after using the CLI and make sure the login credentials are not exposed outside your scripts. This can be achieved by wrapping your scripts into a bash shell script that retains environment variables inside, rather than exporting it outside.
Make sure to only use trusted code within your bash shell script that does not depend on outside node_modules
which could take advantage of having access to environment variables with credentials.