1Password command-line tool 0.2: Tim’s new toys

Some of you may know Tim, our Beardless Keeper of Keys and Grounds here at AgileBits. Tim and his team keep everything running smoothly. The servers are serving happily and the networks are flowing gracefully. Tim is also the administrator of our company team on 1Password.com.

Tim can script and automate with the best of them, and from the moment he got a preview of op, the DevOps team began bombarding us with feedback. One of the first things he asked for was the ability to create vaults, so we added that right away. But we knew we could still do more for Tim – after all he was on the nice list this year – so we got him some new toys to play with. If you’re too excited to read more, you can just start playing with op 0.2 now. To find out more, read on.

Vault into the new year

Our first gift to Tim was more control over vault access. He can now use op to add users to vaults, remove users from vaults, and even delete vaults.

So when Dave told Tim about a new project (codenamed Honey Badger), it was easy to set things up.

Dave needed two developers, Chris and Betty, as well as one of our designers, Matt, involved in the project. With the command-line tool, Tim can switch to his terminal and do this right away. After he signs in, he can create the vault needed for the project:

op create vault "Honey Badger"

But this is old news! He’s been creating vaults for months now. What’s new is that he can now give everyone involved access to that vault:

op add "Chris Meek" "Honey Badger"
op add "Betty Da" "Honey Badger"
op add "Matt Davey" "Honey Badger"

Tim can even create a script to take a list of email addresses and add everyone to the vault at once:

#!/bin/bash
# Usage: add-everyone.sh "Honey Badger" < emailaddresses.txt
while read p; do
    op add $p $1
done

After Matt is done designing project Honey Badger, it’s just as simple to remove him from the vault:

op remove "Matt Davey" "Honey Badger"

When everyone is done with the project, Tim can use op delete vault "Honey Badger" and move on to his next gift.

New year, new groups

The next gift we gave Tim was control over group membership. He can now use op to create and delete groups and choose who belongs to them.

When Dave told Tim that Wendy was moving from the support team to the design team, Tim just casually sipped his cocoa. He knew this would be trivial. We already have groups set up for both teams, so he just ran two commands:

op remove "Wendy Appleseed" "Support"
op add "Wendy Appleseed" "Design"

Tim can also create and remove groups with op create group and op delete group if ever he needs to.

Resolve to level up your skills

The holidays may be over, but we have a feeling Tim will be playing with his new toys for many days to come. If you want to level up your own skills, head over to download this latest release and read the full documentation on our support site.

Level up with op 0.2!

Then pop in to the 1Password Support forum to let us know what you think. You’re all on our nice list, and we love hearing from you. Your feedback after the initial public beta was instrumental in shaping this release.

We’re incredibly excited to continue work on this tool, as it gives you access and control over your 1Password data in a way that’s never been possible before.

15 replies
    • Connor Hicks
      Connor Hicks says:

      Jake,

      Thanks for letting us know what you’d like to see in the tool! I’d like to explain why we didn’t add opvault support to the CLI: there are plenty of open source tools to do this already. The opvault spec is widely available and there have been several tools published on GitHub that allow you to work with them. This tool, on the other hand, is focused on giving 1Password membership users full administration and automation power over their accounts. This is very important, especially in a teams scenario where corporations like to automate as much as they can. It’s also due to the fact that the 1Password.com spec is much more complex, as it is much more powerful, so we didn’t think it would be feasible for third parties to implement a CLI based on the API easily.

      I hope you can understand, please let me know if there’s anything else I can answer for you!

    • Tor Arne
      Tor Arne says:

      Connor Hicks, can you name a single tool (open source or not), that integrates not just with the opvault file on disk (requiring giving the master password to that tool), but one that talks to 1password/mini, just like the browser extensions do? I would love my terminal/ssh passwords to be stored in 1password and easily hooked into e.g. iTerm. Thanks!

    • Connor Hicks
      Connor Hicks says:

      Jake,

      I’m not aware of any tools that access both opvault files and connect with 1Password Mini, but here are some useful open source projects:
      https://github.com/georgebrock/1pass
      https://github.com/sethvoltz/one_pass
      https://github.com/ravenac95/sudolikeaboss (for Mini and iTerm)

      Please be aware that we are not involved in the development of any of these tools, and you should always verify their security before entering your master password into any of them. That being said, it’s really amazing that the community has done so much work on our behalf :)

    • Tor Arne
      Tor Arne says:

      Connor,

      Thanks. The two first tools you list directly read the opvault/sqlite3 database:

      https://github.com/georgebrock/1pass
      https://github.com/sethvoltz/one_pass

      Which means I have to give the tool my master password, and trust that it doesn’t do anything bad with it. This is not an option.

      The last tool you mentioned connects to 1Password just like the Chrome extension does, via websockets, so the password is never given to sudolikeaboss:

      https://github.com/ravenac95/sudolikeaboss

      But that has failed since 1password 6.8.1, as you now require a code signing to allow extensions to talk to 1password:

      https://discussions.agilebits.com/discussion/81528/cannot-use-sudolikeaboss-with-1password-6-8-1/p2

      What I’m asking is when you will:

      A: Provide an official CLI binary that talks to a local 1password vault

      or

      B: Provide APIs and work with external developers like the author of sudolikeaboss, so let people create blessed/signed extensions that can integrate with 1password.

      or

      C: Allow the extension APIs to be optionally used by non-signed extensions, at the user’s risk, for a specific extension

      Thank you for you transparency in answering this.

    • Dave Teare
      Dave Teare says:

      Those are some great questions, Tor. Unfortunately I don’t have any answers to share with you. At least not yet.

      All I can say at this time is we’re well aware that Sudolikeaboss is pretty damn cool and we’d love to support it in the future once we find a safe and secure way to do so.

      I’m sorry I can’t share more with you than that at this moment.

      Take care,

      –Dave Teare
      AgileBits Founder

  1. Frank
    Frank says:

    You better quote your variables properly and use “–” to signify the end of the options.

    The command should be like:
    op add — “$p” “$1”

    Otherwise input like “foo bar” (w/o quotes) or “-i am evil” (w/o “–“) would cause issues.

    Reply
    • Frank
      Frank says:

      Your blog system seems to convert two dashes (“- -” without space) to a en em dash (“–”). Replace any occurrence of “—” with “- -” (without the space), please.

    • Kate Sebald
      Kate Sebald says:

      Hey Lars! You can have Groups and Vaults with the same name if you’d like. The tool will offer suggestions if you use a name that belongs to both and share the UUIDs for each so you can run the proper command. That said, it would be likely be easier to avoid overlap, if you’re able, but the overlap won’t cause fatal trouble if it’s necessary. 🙂

  2. Tim Gage
    Tim Gage says:

    op list does not provide a list of list subcommands. op help, op list help, … also provides no documentation.

    Reply
    • Connor Hicks
      Connor Hicks says:

      Hey Tim, sorry for the confusion! To see all the list subcommands, try op list --help :)

      Also, op --help will show all the top-level commands! I’m glad you’re using the tool!

  3. Alexander Celeste
    Alexander Celeste says:

    Have you considered getting op to be distributed via Homebrew (https://brew.sh)? This would be far more convenient than us needing to manually install new versions as they come out. I use Homebrew for pretty much every command-line tool I can, and would love to have op installed via Homebrew as well.

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Alexander! While we don’t officially support Homebrew just yet, I’ve heard a rumor that someone has put a cask together already and if you search for 1password-cli, you just might find a surprise waiting for you. 😉

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.