DEV Community

Sean Boult
Sean Boult

Posted on

Using 1Password CLI for secrets locally

Secrets are the backbone of how developers work in today's data-driven and service world. Password manager apps like 1Password, Lastpass, and Bitwarden have been keeping our passwords safe for years.

Developers have not stuck with the same approach when it comes to secrets though. In the best-case scenario secrets are encrypted and worst case they are plaintext stored within config files.

With that in mind, this article will aim to help you source secrets from your 1Password vault locally leading to better security and a single source of truth.

First thing is to make sure you have the 1Password CLI installed and configured. Now we can start configuring our .env file to load things from the vault.

Here I've created an API Credential that lives in the "Secrets" vault which I've named "Demo Secret".
Image description

We can access this secret using the following schema
op://vault-name/item-name/[section-name/]field-name

Create a file in your home directory somewhere, I'll be using $HOME/personal/.env but feel free to change this.

Example:

SECRET_DEMO="op://secrets/demo secret/credential"
Enter fullscreen mode Exit fullscreen mode

Now we'll want to create a nice shell helper function that can go into your profile.

# added to my $HOME/.zshrc file
# where we will store the env file
ENV_PATH=$HOME/personal/.env

# call this function anything you'd
function sec {
  # see if we are logged in, will return exit code > 0 if not
  op whoami

  # if we are logged skip if not ask for master password
  if [[ $? != 0 ]]; then 
    eval $(op signin)
  fi

  # this will inject the env vars we defined in our .env file
  op run --env-file=$ENV_PATH -- $@
}
Enter fullscreen mode Exit fullscreen mode

Make sure to reload your shell so we have access to the new sec helper function we made.

Now clone the demo repo, change into the new directory, and start the app with the sec util.

# clone the demo project
git clone https://github.com/Hacksore/demo-1pass-secrets.git

# change directory
cd demo-1pass-secrets

# start with the prefixed util
sec npm start
Enter fullscreen mode Exit fullscreen mode

Image description

And there you have it! You can now start apps that require secrets in environment variables just by prepending the sec util.

It should work well for any language as long as you can start your app from the CLI.

hacker man gif

Additional Resources
Demo Repo
1Password Docs
1Password Blog
Inspiration

Top comments (0)