Authentication on sub-shells and non interactive shells


Could you confirm that in the next releases, the authentication mechanism will be improved for sub-shells? You told me there was some improvements in the pipe but I am not sure.

Currently, this is really a pain to have to handle in all applications the transfer of OP_ variables to the subshells ;)

I was wondering also if there was some plans to allow the use of op CLI in non-interactive shells like in CI scripts. That would be great if we could create some "tokens" (or public/private key) and associate to them: vaults or items directly.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • graham_1Pgraham_1P

    Team Member

    Hey Mickael,

    We can't confirm what will or will not be in the next release.

    However, your point about subshell environment variables is valid; currently you have to have the right environment variables in each shell context. Can you tell me a little more about how you are trying to use op with subshells? Something like evaling the op output for another command?

    Also your idea about CI is neat. Am I correct in thinking that you would use op as a key store for testing credentials? What were you imagining?

  • graham_1Pgraham_1P

    Team Member

    Just looked through some of your other posts, and would the usage in your gist here ( be a good example of running op in a subshell? EG when you assign the raw output of op into a variable for your op_signin function.

  • @graham_1P Regarding my use case, indeed, I took the habit to store any sensitive information whether directly encrypted in our git repos with gpg and deploy them with the help of the Blackbox tool from StackExchange people.

    I was in the reflexion to move away from Blackbox and store our sensitive files directly in 1password and update our deployment scripts to grab them without having to generate gpg deployment keys and having to install them on each staging/production servers.

    But so far, I have no clue on how I could run securely 1password calls on a remote server.

    For deployment scripts, I guess I could grab secure files using local op cli and rsync them to the remote server.

    But I don't see how to do this for a fully automated deployment process in a CI pipeline for example.

  • graham_1Pgraham_1P

    Team Member

    You're right, at this time we don't have an easy way to securely run 1Password calls on a remote server. You bring up an interesting use case however. It will definitely be something to look into in the future.

    To do the automatic deploy using 1Password as the secure key store, I would do something similar to what you suggest, where you use a combination of local op cli, the retrieved credentials, and gpg to rsync the values to the remote servers. At this time, that is the best solution, if you want to swap 1Password in for Blackbox.

  • @graham_1P I guess I will stick with blackbox for this usage until 1password propose something more efficient to handle that...


  • cohixcohix

    Team Member

    I'll noodle on this a bit and see what I can come up with :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file