How to use the command 'op' (with examples)
The ‘op’ command is the official command-line interface (CLI) for interacting with the 1Password desktop app. It provides users the ability to execute various operations on their 1Password accounts directly from the terminal. This CLI is particularly useful for developers and sysadmins who want to automate their workflows involving sensitive credentials, manage vaults, and conduct other operations programmatically without having to access the graphical user interface.
Use case 1: Sign in to a 1Password account
Code:
op signin
Motivation:
Signing into your 1Password account is the foundational step to begin interacting with your vaults and items through the CLI. This operation is crucial as it authenticates the user and establishes a secure session, which is required for all subsequent commands. It ensures that the security and integrity of your password management are maintained.
Explanation:
signin
: This command initiates the process of authenticating with 1Password. It usually prompts the user to enter their account email, secret key, and master password unless these details are provided through another mechanism such as an environment variable or configuration file.
Example output:
Enter your 1Password account email: user@example.com
Enter your Secret Key (A3-CD6E...). You can find it on your Emergency Kit or in 1Password settings:
Enter the password for user@example.com at My Team:
Signed in as user@example.com.
Use case 2: List all vaults
Code:
op vault list
Motivation:
Listing all vaults lets users view the repositories or collections of items they have access to. This can be particularly useful for getting an overview of the existing organizational structure of your passwords and other credentials. It helps in managing access and understanding the scope of information stored.
Explanation:
vault
: Specifies that the command is to interact with vaults, which are essentially collections of 1Password items like logins, secure notes, and documents.list
: This argument instructs the CLI to compile and present a list of all vaults available to the authenticated user.
Example output:
[
{
"id": "h3f2zj2qycwlhnit7umy4txpji",
"name": "Personal",
"description": "My personal items"
},
{
"id": "3l7zgjrw5h63usjfkm6zstv44a",
"name": "Shared",
"description": "Items shared between family members"
}
]
Use case 3: Print item details in JSON format
Code:
op item get item_name --format json
Motivation:
Retrieving item details in JSON format provides a structured view of the data, which is ideal for parsing and processing with other tools or scripts. This can be helpful when you need to extract specific information programmatically or to integrate with other systems or logs.
Explanation:
item
: Specifies that the command pertains to 1Password items, which can be logins, notes, cards, etc.get
: Instructs the CLI to retrieve information about the specified item.item_name
: The name or unique identifier of the item you wish to obtain details for.--format json
: This option provides the output in JSON format, which is a widely-used, machine-readable, structured data format perfect for scripting and automation needs.
Example output:
{
"id": "v5mmmbr2mhiaje5cegtablvar4",
"title": "GitHub",
"vault": "Personal",
"category": "login",
"fields": [
{ "label": "username", "value": "user@example.com" },
{ "label": "password", "value": "mypassword" }
]
}
Use case 4: Create a new item with a category in the default vault
Code:
op item create --category category_name
Motivation:
Creating a new item in 1Password is essential for storing new credentials or any sensitive information securely. This command allows you to specify the category of the item, thereby ensuring that it is correctly organized and accessible.
Explanation:
item
: Indicates the command is dealing with an item, a basic unit of data in 1Password.create
: This argument is used to initiate the creation of a new item.--category category_name
: This option specifies the type or category of the item being created, such as login, note, document, etc.
Example output:
New item created in vault 'Personal':
{
"id": "hif2i56o5tyirlf5e64wqslf4y",
"title": "New Item",
"category": "login"
}
Use case 5: Print a referenced secret to stdout
Code:
op read secret_reference
Motivation:
There are scenarios where you need to access a specific secret quickly from a script or a terminal. By printing a referenced secret to stdout
, you make it easy to integrate with other commands in a pipeline and perform tasks such as setups, credentials checks, or data exports without exposing sensitive information unnecessarily.
Explanation:
read
: Indicates that the command will access and display a secret.secret_reference
: This is a placeholder for the specific reference name or ID of the secret you want to read.
Example output:
somesecretvalue
Use case 6: Pass secret references from exported environment variables to a command
Code:
op run -- command
Motivation:
When executing commands that require authentication or confidential information, passing secret references through environment variables can enhance security by minimizing exposure. This technique allows for seamless, secure integration of secrets into scripts and command executions.
Explanation:
run
: Executes another command, using any defined secret references.--
: Denotes the end of options forop run
and the start of the command you wish to execute.command
: This is the placeholder for the actual command you wish to run that requires secret references, such as a script or application command line.
Example output:
Running 'command' with secrets from the environment...
Use case 7: Pass secret references from an environment file to a command
Code:
op run --env-file path/to/env_file.env -- command
Motivation:
Sometimes secret information is stored within environment files, especially in deployment settings. Loading secrets from such files allows for consistent setups across environments. This method is advantageous in scenarios where multiple secrets need to be used repeatedly, maintaining continuity and minimizing human error.
Explanation:
run
: Directs the CLI to execute another command using the specified environment variables.--env-file path/to/env_file.env
: Specifies the path to the file containing secrets in environment variable format.--
: Marks the termination ofop run
options, followed by the command that requires the secrets.
Example output:
Running 'command' with secrets from the environment file...
Use case 8: Read secret references from a file and save plaintext secrets to a file
Code:
op inject --in-file path/to/input_file --out-file path/to/output_file
Motivation:
In more complex workflows, secrets might need to be populated in configuration files. This use case supports scenarios where infrastructure, such as applications or scripts, requires actual plaintext credentials instead of encrypted references. Automating this transformation ensures that the correct values are always used, minimizing the risk of misconfiguration.
Explanation:
inject
: Indicates that the CLI should read and write data, transforming secret references into plaintext.--in-file path/to/input_file
: Path to the input file containing secret references that need resolving.--out-file path/to/output_file
: Path where the resolved plaintext secrets should be stored.
Example output:
Injected secrets from 'path/to/input_file' into 'path/to/output_file'.
Conclusion:
The ‘op’ command offers diverse use cases to efficiently manage and utilize secrets directly from the command line. Whether you’re automating deployments, managing vaults, or integrating secrets into software, understanding these examples is crucial for leveraging 1Password’s power through its CLI. This tool provides enhanced security and fluidity for developers and system administrators, ensuring that sensitive data is handled responsibly and efficiently.