In a our previous post, we looked at generating a 1password session without requiring user input. Today we will look at generating a one-time (30-minute) token on your local machine and only sharing that with your build servers.
As we saw previously, we can
op you can generate a session token. Below we have two small changes.
op signin --raw my email@example.com > opsession
We added the
--raw flag so that we only output the 1password token
We redirect the output to a
Now instead of building a forever re-useable
opsession (as we did with expect), we now have a 30-minute
opsession token (within a file) that we can share with our build server as seen below (step B).
Our automation scripts can now use the
--session flag pointing to the contents
of our token with
cat opsession. For example.
op get item db_password --session $(cat opsession)
In this approach, we are still generating 1password sessions locally, and then sharing the token on our build servers. Those environments now have 30-minutes access to the secrets it needs (DB passwords, API secrets, etc) in a completely autonomous way.