Skip to content

tmatilai/direnv-1password

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
1password.sh
1password.sh
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

1Password helpers for direnv

This repository includes a direnv library/extension for fetching secrets using 1Password CLI.

Usage

Example .envrc:

# Download the latest version. See below for other installation methods.
source_url "https://github.com/tmatilai/direnv-1password/raw/v1.0.0/1password.sh" \
    "sha256-EGpCcHQA5inHmMmkvj+TqIjPeNzzvG4F+BUXfFKb1c0="

# Fetch one secret and export it into the specified environment variable
from_op MY_SECRET=op://vault/item/field

# Multiple secrets can be fetched by passing the items to the command's STDIN
from_op <<OP
    FIRST_SECRET=op://vault/item/field
    OTHER_SECRET=op://...
OP

# Multiple secrets can be fetched from a file as well.
# direnv will reload when the file changes.
from_op .1password

# Only load a secret from OP if it wasn't already set in `.env`.
dotenv_if_exists
from_op --no-overwrite MY_SECRET=op://vault/item/field

# Show the status of 1password while loading direnv.
from_op --verbose MY_SECRET=op://vault/item/field

Secrets reference

The reference format is described here. Vault, item and field can be referred either by name or ID.

With 1Password CLI v1 the section (referred in the docs) can not be used, so in some cases the item ID has to be used.

1Password login

For the from_op command (or actually the underlying op command) to work, a valid 1Password session has to exist.

One option is to sign in manually before .envrc evaluation. For example:

# Bash, ZSH, etc.
eval $(op signin ACCOUNT)
# Fish
eval (op signin ACCOUNT)

The .envrc evaluation can then be forced with e.g. direnv reload.

Other option is to add the op signin command into the .envrc, but that will block the evaluation. This might go against the best practices with direnv, as .envrc evaluations should in general be fast and non-blocking. But you decide.

Future versions of the library hopefully offer helpers for the login, too.

Requirements

  • direnv. Might/should work with any somehow recent v2 version. Developed initially with v2.30.
  • 1Password CLI 2.x (op).
  • A shell supported by direnv. Bash v3+ should work.

Installation

There are a couple of options to use/install the library. Upgrades must be done manually. Watch the repository for new versions.

Use source_url stdlib command

One option is to use the source_url command in the direnv stdlib in your .envrc file.

The latest version can be fetched with the command in the usage example.

Hash for another version can be fetched with the direnv fetchurl command in shell:

direnv fetchurl "https://github.com/tmatilai/direnv-1password/raw/<VERSION>/1password.sh"

Note that as stated in the direnv documentation, the downloaded file is cached, and thus the URL should return always the same version. This means that main and other branches can not be used.

Manual download to lib/

Download/copy/symlink the 1password.sh into ~/.config/direnv/lib/1password.sh (or $XDG_CONFIG_HOME/direnv/lib/1password.sh if that's different).

You can also install with:

make install

About

1Password helpers for direnv

Resources

Readme

License

MIT license
Activity

Stars

33 stars

Watchers

6 watching

Forks

2 forks
Report repository

Releases 1

v1.0.0 Latest
Sep 21, 2024

Packages

No packages published

Contributors 2

  •  
  •  

Languages