In a our previous post, we looked at generating a 1password session without requiring user input. Today we will look at generating a one-time (30-minute) token on your local machine and only sharing that with your build servers.
As we saw previously, we can
op you can generate a session token. Below we have two small changes.
op signin --raw my email@example.com > opsession
We added the
–raw flag so that we only output the 1password token
We redirect the output to a
Now instead of building a forever re-useable
opsession (as we did with expect), we now have a 30-minute
opsession token (within a file) that we can share with our build server as seen below (step B).
Our automation scripts can now use the
–session flag pointing to the contents
of our token with
cat opsession. For example.
op get item db_password --session $(cat opsession)
In this approach, we are still generating 1password sessions locally, and then sharing the token on our build servers. Those environments now have 30-minutes access to the secrets it needs (DB passwords, API secrets, etc) in a completely autonomous way.