I have been using the excellent 1Password app for several years now, and a couple of months ago, I discovered that it has a rather useful CLI. Naturally, I started to experiment, and I’m really glad I discovered it. I can definitely say it has improved my local development setup greatly.
My use case is that I wanted the ability to generate my .env file, why? Because I use git worktrees and I’m tired of the tedious copying and pasting .env file.
Section titled What is 1Password CLI?What is 1Password CLI?
1Password CLI is a command line interface for the popular password manager 1Password. The CLI can be used to generate passwords, lookup secrets and It also unlocks automation of the password management tasks.
Here, we’ll explore how to inject secrets into the process environment and generating .env file from a template.
Section titled Setting up 1Password CLISetting up 1Password CLI
- Install 1Password CLI: You can download the CLI from the official website or use a package manager like Homebrew:
brew install 1password-cli- Turn on the 1Password desktop app integration: You can find the ‘Connect with 1Password CLI’ option in the developer setting tab or follow the steps
- Run command to verify that you’re signed in: Run
op vault listin your terminal
If you have multiple accounts, you may need to use the op signin --account flag to select the right account.
Section titled Reading secretsReading secrets
We can read secrets from the vault using the read command with a secret reference, example:
# op read op://<vault>/<item>/<field>
op read op://dev/user/passwordSection titled Finding secret references using the 1Password appFinding secret references using the 1Password app
- Open 1Password desktop app
- Find and open item with the secret you want to read
- Click on the down arrow on the right of each field and click copy secret reference
Section titled Injecting secrets into environmentInjecting secrets into environment
In order to get the secrets into the process, we need to use the run command
- Create a new file with all the secret references mapped to environment variables
EMAIL="op://dev/user/email"PASSWORD="op://dev/user/password"- Run command
op runand pass in the file we just created and the process you want to start, in this case Node.js
op run --env-file="./.env" -- nodeThe configured environment variables secrets should have now been passed into the process and is ready to go
console.log(process.env.EMAIL) # mysecret@email.comSection titled Generating .env fileGenerating .env file
To generate a file we need to use the inject command along with a template file.
- Create a new template file with secret references
EMAIL="op://dev/user/email"PASSWORD="op://dev/user/password"- Run command
op injectand pass in the template and the name of the output file
# Use the .env.tpl and generate a .env file with the secretsop inject -i .env.tpl -o .envThis will generate a .env file with all the environment variables and secrets
Section titled ConclusionConclusion
Both injecting and generating secrets can be used with any file, in my example I used Node.js, but I could do the same in .NET, Go, Rust etc…
As you can see it’s really powerful and flexible, I’m currently only using this for local development, but I’m looking at using this with CI/CD and password rotation automation.
If you’re like me, and you’re fed up with forgetting and resetting your passwords, then I can’t recommend 1Password enough.
Hopefully this helped and someone found it useful!
Happy coding 🤘