API to pull 1Password information?

mitesh_ev
mitesh_ev
Community Member

We use 1Password to manage our 50 something Salesforce instances. It is working great, but every few months we have to reset those passwords.

I was wondering if there is 1Password API which we can use to get existing password and and API to then update that password. I am not talking about reseting Salesforce password, that script we already have. We are trying to avoid manually updates of those password in 1Password. This will save lot of time for us.

Any help is appreciated.

Mitesh


1Password Version: 6.8.6
Extension Version: Not Provided
OS Version: Mac
Sync Type: Not Provided
Referrer: forum-search:api

Comments

  • Hi @mitesh_ev,

    We don’t have a public API, per se, but our command line tool may be of help in this situation:

    1Password command-line tool: Getting started

    Does that help?

    Ben

  • mitesh_ev
    mitesh_ev
    Community Member

    Thank you Ben. It may. I will pass the information to the team. Thank you for quick turn around.

    Is public API in the roadmap?

  • Ben
    Ben
    edited May 2018

    @mitesh_ev,

    You’re welcome. :) We haven’t announced any plans for a public API at this point, but we’d certainly appreciate hearing if there are ways in which you’d like to access 1Password programtically that the CLI tool doesn’t allow for.

    Ben

  • mitesh_ev
    mitesh_ev
    Community Member

    Thank you Ben. I am trying it out but running into a roadbloack. See the error message. Any suggestions?

    Error: -bash: gpg: command not found

  • Ben
    Ben
    edited May 2018

    @mitesh_ev

    It appears you do not have GPG installed on this system? It is possible to skip this step if that is the case and you’d rather not install it. The purpose of the step is to verify the authenticity of the downloaded CLI executable. It is for peace of mind, and is not required.

    Ben

  • mitesh_ev
    mitesh_ev
    Community Member

    I see, I did try $ op command , but that is throwing error message too. The "ls" command shows me the files, but when I run the command, it is giving me error message.

  • mitesh_ev
    mitesh_ev
    Community Member

    As you can tell I am still learning, I tried the command with $ sign but still got the error message:
    -bash: op: command not found

  • Ben
    Ben
    edited May 2018

    @mitesh_ev

    Please try this:

    chmod +x op
    ./op --version

    As this discussion now revolves around our CLI tool I’m going to move it over to the CLI category of the forum so that it’ll be more visible to the folks who work more directly with the CLI. :)

    Ben

  • mitesh_ev
    mitesh_ev
    Community Member

    That worked like a charm. Does that mean I have to use "./op" for rest of the documentation? I will give it shot and thank for moving this to right category. Appreciate your time :)

  • mitesh_ev
    mitesh_ev
    Community Member
    edited May 2018

    Making some progress. I am running into authentication issue. See the screenshot, getting timeout error. Then I thought of entering bogus password and it threw 401 error (as expected)

    I can login using same information [screenshot and other sensitive account details removed by AgileBits staff — this is a public forum]

  • mitesh_ev
    mitesh_ev
    Community Member

    Never mind, I had type in the email id. I am good for next 5 mins ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mitesh_ev: I've removed the screenshot since it contained some sensitive information about your account. it sounds like you were able to sign in successfully, but we're here if you have any other questions! :)

  • mitesh_ev
    mitesh_ev
    Community Member

    thanks Brenty, got too excited! I was able to follow the documentation to get password but my challenge is to automate password reset. I would appreciate if someone can hop on a call to guide us in right direction. This may be good case study for 1Password too, because many companies are struggling with password automation. Happy to be the guinea pig..

  • mitesh_ev
    mitesh_ev
    Community Member

    Hello Brenty, please take a look at attached JSON (removed sensitive information this time :) ) I would like to update"myPassword" value based on username passed to CLI.

    The documentation shows how to grab item based on UUID, but in our case we need to pull an item based on username field (which is unique).

    Also, it does not tell how to update a field (password). Appreciate your help. Thank you.

  • mitesh_ev
    mitesh_ev
    Community Member

    So after some trial and error, I configured jq command to spit out UUID based on username.

    jq '(. as $parent | .details.fields[0] | select(.value="mitesh@example.com") | $parent).uuid'

    Then I thought I could replace "UUID" (s2wgrbj_TEST) with above command, but that is not working. Any pointers?

    ./op get item s2wgrbj_TEST --session=QeOunXGLCGTAo_TEST

  • cohix
    cohix
    1Password Alumni
    edited May 2018

    @mitesh_ev I just now responded to your email, I answered some of your questions there :)

    As for using the jq command to insert the UUID, you can do one of two things:

    Bash interpolation:
    op get item $(jq '(. as $parent | .details.fields[0] | select(.value="mitesh@example.com") | $parent).uuid') [...] (note the $(...))

    Bash script:

    UUID=$(jq '(. as $parent | .details.fields[0] | select(.value="mitesh@example.com") | $parent).uuid')
    op get item $UUID [...]
    

    Let me know if that helps :)

    ref: HZY-73368-261

  • mitesh_ev
    mitesh_ev
    Community Member
    edited May 2018

    Hello Connor,

    Thank you for your email. Making progress.. Shouldn't there be some more command before the bash script example your provided? What I mean is, how does jq know what JSON to parse?

    This is example of my bash script, it is working till "Get Item [hardcoded]" but "Get Item [dynamic]" is not. The CLI waits for input. Entering random text and then throws error message "(ERROR) Missing argument: "

    #!/bin/bash
    echo 
    echo — Get 1Password Session ID —
    export sessionId=$(op signin evariant.1password.com mitesh@test.com A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX --output=raw)
    echo
    echo — 1Password Session ID —
    echo $sessionId
    echo
    echo — Get Item [hardcoded] —
    export UUID_test=(s2wgrbjesfgdhcruuvzjob5fza)
    op get item $UUID_test --session=$sessionId
    echo
    echo — Get Item [dynamic] —
    export UUID=$(jq '(. as $parent | .details.fields[0] | select(.value="mitesh@example.com") | $parent).uuid')
    echo
    echo $UUID 
    op get item $UUID --session=$sessionId
    
  • mitesh_ev
    mitesh_ev
    Community Member

    Please look at my previous comment. Got one more question, how to pull custom field from a section using CLI? When I run "op list items" command, it is not pulling Token which is custom field. Please see the screenshot

  • mitesh_ev
    mitesh_ev
    Community Member

    Hi Connor,

    Did you get chance to look at my last 2 comments? There are 3 things I need help with
    1. How to get UUID based on username. The script provided does not work
    2. How to pull custom field "Token" from 1Password?
    3. How to update password using CLI?

    And lastly, I am not seeing "Generate Password" command in CLI. In order to update the password, we need to have randomly generate password like we can do on UI.

    My 2 cents, it still baffles me there is no 1Password API and the CLI is half baked solution. Do not mean mean to hurt anyone, take it as constructive criticism.

  • mitesh_ev
    mitesh_ev
    Community Member

    updates.. as 1Password does not have "generate password" command , I am using openssl and pwgen, which seems to be working.

    And I have figured #2 as well. Still need help with #1 and #3 above.. I am happy to show the end-to-end solution , might help in your case studies.

  • mitesh_ev
    mitesh_ev
    Community Member

    And I have figured out #1 too!! I am using below script to find the UUID. I am hoping this will help someone in the future.

    export UUID=$(op list items --session=$sessionId | jq --raw-output '.[] | select(.overview.ainfo=="mitesh@test.com" and (.overview.url | contains("salesforce.com"))).uuid')

    The only thing remaining is updating password back to vault using CLI. Appreciate if someone can provide an example or update the documentation.

  • The only thing remaining is updating password back to vault using CLI. Appreciate if someone can provide an example or update the documentation.

    This is not currently possible using the command line tool. It's something we're hoping to make available in a future update.

    Rick

  • mitesh_ev
    mitesh_ev
    Community Member

    Thank you Rick for the updates. Please let us know once this is made available. We have about 150 orgs and updating them manually every 3-4 months is lot of work.

  • We'll make sure to make a splash when we make that work. We have a few bigger ticket items on our todo list before we get to that though. I'm hopeful that we'll get to it before 1.0 though.

    Rick

  • mitesh_ev
    mitesh_ev
    Community Member

    Sounds great.. is there public facing document on what those "bigger ticket items" are? Is that related to CLI?

  • is there public facing document on what those "bigger ticket items" are?

    Well there's this: https://discussions.agilebits.com/discussion/88757/help-shape-the-future-of-the-1password-command-line-tool , which explains that we've been working on the 1Password SCIM bridge lately. The CLI has benefited from it a fair amount, but we're a small team so it's difficult for us to work on a bunch of things at once.

    We don't typically post our roadmap publicly as it can change at any point.

    Rick

This discussion has been closed.