PowerShell Automation for 1Password
Securely orchestrating 1Password with PowerShell
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password. I created the module because I wanted to be able to:
Securely store locally a configuration for accessing a 1Password online Vault
Automate authentication and retrieve a Session Token for interaction with a 1Password online Vault
Automatically renew the Session Token if it expires
Have multiple profile configurations for multiple 1Password Accounts
Work in Windows PowerShell (5.x) and PowerShell (6.x/7.x + on Windows)
Work in Jupyter Notebook
I published that module for others thinking it may be useful for others too. In fact almost 96k other people found it interesting.
1Password CLI 2
In March 2022 1Password released CLI 2. It included several great new features such as biometrics. BUT it also changed the command schema. It broke my module. CLI 1 was working just fine for all my needs so I just carried on.
With CLI 2 now up to version 2.18.0 it was time to update the module and provide support for it in my module. I had made a few changes to see what I needed to do to support CLI 2 but I had never publically updated anything.
Seeing the 1Password with Hashnode Hackathon in my feed was the motivation to clean up updates to the module and publish it.
1Password CLI PowerShell Module v2
Here is v2 of my 1Password CLI PowerShell Module. The details for v1 can be found here.
Features
The 1Pwd PowerShell Module:
Works with versions 1.x and 2.x of the 1Password CLI
Auto-detects the version of the 1Password CLI you have and integrates accordingly
Allows a configuration to be securely stored in your local Windows Profile that automatically loads with the module.
Stores a profile configuration using Export-CliXML. The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. The encryption ensures that only your user account on only that computer can decrypt the contents of the credential object. The exported CLIXML file can't be used on a different computer or by a different user.
You can then use any command the 1Password CLI 1 or CLI 2 supports without having to worry about Signing In and managing Session Tokens.
You can use the module in demos and presentations and not expose your API Keys or Credentials.
Works in Jupyter Notebook
Works with Windows PowerShell and PowerShell (6.x+)
Installation
Install from the PowerShell Gallery on Windows PowerShell 5.1+ or PowerShell Core 6.x or PowerShell. You can also download it from GitHub here.
Install-Module -name 1Pwd
Prerequisites
To use this module you will need:
A Paid 1Password account
Your Master Password that you use for accessing your 1Password Vault
1Password CLI. Install it in the same directory as the script(s) you'll be running that will use this 1Pwd PowerShell Module.
- A future enhancement will be to have it work with the CLI binary in a system path. Relative pathing for the background check for a valid session token requires specifying the specific location of op.exe. Otherwise the module fails in Windows PowerShell.
Test the 1Password CLI is accessible by running the following command that will return the 1Password CLI version. If you haven't set up credentials yet you will also receive a message to that effect.
.\op.exe --version
Module cmdlets
The module contains 4 cmdlets.
Get-Command -Module 1Pwd | Sort-Object Name | Get-Help | Format-Table Name, Synopsis -Autosize | clip
Name Synopsis
---- --------
Invoke-1PasswordExpression Invokes a 1Password CLI command.
Set-1PasswordConfiguration Sets the default 1Password Vault and credentials.
Switch-1PasswordConfiguration Changes the 1Password configuration to a different Vault.
Test-1PasswordCredentials Tests if the configured 1Password CLI configuration is valid.
Configuration
To create a secure profile for use with the 1Pwd Module execute the following PowerShell commands with the user account on the computer that you will be using to retrieve/set 1Password Vault items. This will create the secure configuration under your Windows Profile for the logged-in user on the computer it was executed on. It can only be opened and the Secret Key and Master Password read using the same account on the same computer.
Set Credentials and Profile Info
Update the following with your Sign-In Address and Sign In Account (Email Address) retrieved above. You will be prompted to securely input your Secret Key and Master Password.
$1PSignInAddress = "https://my.1password.com"
$1PSignInAccount = "your@emailaddress.com"
$1PSecretKey = Read-Host "Enter your 1Password SecretKey" -AsSecureString
$1PMasterPassword = Read-Host "Enter your 1Password Master Password" -AsSecureString
Using the information input above the Test-1PasswordCredentials cmdlet is used to validate them and return your account details. Run it once without assigning the output to perform the initial sign in and create a session. Then run again assigning the output to a variable for use with saving your configuration.
Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword
$account = Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword
Save your configuration
Having successfully provided and validated your credentials the Set-1PasswordConfiguration cmdlet will securely store the configuration in the logged-in users' local Windows Profile. When saving a configuration you can use the -default switch to specify that it is the default configuration. It will automatically be retrieved and a session created when the module loads.
v1.x CLI
Set-1PasswordConfiguration -Vault $account.domain -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default
v2.x CLI
Set-1PasswordConfiguration -Vault $account[2].Split(":")[1].trim() -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default
Storing and switching configuration profiles
The Switch-1PasswordConfiguration cmdlet allows you to switch vaults/configuration. This is useful if you have multiple accounts. Each configuration needs to be saved using Set-1PasswordConfiguration. When saving a configuration you can use the -default switch with Set-1PasswordConfiguration to specify which is the default configuration that will be loaded when the module loads.
To change the configuration for PersonalVault2 you would use the command.
Switch-1PasswordConfiguration -vault PersonalVault2
To switch to the PersonalVault2 configuration and make it the default use the -default switch.
Switch-1PasswordConfiguration -vault PersonalVault2 -Default
Automation of 1Password with PowerShell
The primary command/cmdlet that you will use after configuration is Invoke-1PasswordExpression. There is also the alias '1pwd' to shorten the command.
1pwd = Invoke-1PasswordExpression
Invoke-1PasswordExpression
Invokes 1Password CLI command. Any command that the 1Password v1 CLI supports can be provided.
Any command that the 1Password v2 CLI supports can be provided.
The fundamental difference between the versions of the CLI is the command syntax. 1Password CLI 2 introduces a noun-verb command structure that groups commands by topic rather than by operation.
Example v1 CLI
Invoke-1PasswordExpression "list users"
# or
1pwd "list users"
Example v2 CLI
Invoke-1PasswordExpression "user list"
# or
1pwd "user list"
There is NO NEED to specify the op.exe executable or the --session --cache switches.
Example v1 CLI
List Vaults
Invoke-1PasswordExpression "list vaults"
# or
1pwd "list vaults"
Example v2 CLI
List Vaults
Invoke-1PasswordExpression "vault list"
# or
1pwd "vault list"
Example v1 CLI
Get Item Twitter
Invoke-1PasswordExpression "get item Twitter"
# or
1pwd "get item Twitter"
Example v1 CLI
Get Item 'Twitter Other Account' e.g An Item with spaces
Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'"
# or
1pwd "get item 'Twitter - darrenjrobinson'"
Example v1 CLI
Get the Twitter Vault Item and return the password
((Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value
# or
((1pwd "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value
Example v2 CLI
Get Item Twitter
Invoke-1PasswordExpression "item get Twitter"
# or
1pwd "item get Twitter"
Example v2 CLI
Get Item 'Twitter Other Account' e.g An Item with spaces
Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'"
# or
1pwd "item get 'Twitter - darrenjrobinson'"
Example v2 CLI
Get the Twitter Vault Item and return the password
((Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'").fields | where-object {$_.id -eq 'password'} | select-object -property value).value
# or
((1pwd "item get 'Twitter - darrenjrobinson'").fields | where-object {$_.id -eq 'password'} | select-object -property value).value
Version 2
The public version of v2 of this module inspired by the 1Password Hackathon
The module is in the PowerShell Gallery here and on GitHub here.
#1Password #BuildWith1Password