Orchestrating 1Password with PowerShell

Over two years ago I authored a PowerShell Module that enabled the automation of 1Password. I created the module because I wanted to be able to:

  • Securely store locally a configuration for accessing a 1Password online Vault
  • Automate authentication and retrieve a Session Token for interaction with a 1Password online Vault
  • Automatically renew the Session Token if it expires
  • Have multiple profile configurations for multiple 1Password Accounts
  • Work in Windows PowerShell (5.x) and PowerShell (6.x/7.x + on Windows)
  • Work in Jupyter Notebook

I published that module for others thinking it may be useful for others too. In fact almost 96k other people found it interesting.

1Password CLI 2

In March 2022 1Password released CLI 2. It included several great new features such as biometrics. BUT it also changed the command schema. It broke my module. CLI 1 was working just fine for all my needs so I just carried on.

With CLI 2 now up to version 2.18.0 it was time to update the module and provide support for it in my module. I had made a few changes to see what I needed to do to support CLI 2 but I had never publically updated anything.

Seeing the 1Password with Hashnode Hackathon in my feed was the motivation to clean up updates to the module and publish it.

1Password CLI PowerShell Module v2

Here is v2 of my 1Password CLI PowerShell Module. The details for v1 can be found here.

Features

The 1Pwd PowerShell Module:

  • Works with versions 1.x and 2.x of the 1Password CLI
  • Auto-detects the version of the 1Password CLI you have and integrates accordingly
  • Allows a configuration to be securely stored in your local Windows Profile that automatically loads with the module.
  • Stores a profile configuration using Export-CliXML. The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. The encryption ensures that only your user account on only that computer can decrypt the contents of the credential object. The exported CLIXML file can’t be used on a different computer or by a different user.
  • You can then use any command the 1Password CLI 1 or CLI 2 supports without having to worry about Signing In and managing Session Tokens.
  • You can use the module in demos and presentations and not expose your API Keys or Credentials.
  • Works in Jupyter Notebook
  • Works with Windows PowerShell and PowerShell (6.x+)

Installation

Install from the PowerShell Gallery on Windows PowerShell 5.1+ or PowerShell Core 6.x or PowerShell. You can also download it from GitHub here.

Install-Module -name 1Pwd

Prerequisites

To use this module you will need:

  • A Paid 1Password account
  • Your Secret Key or Setup Code
  • Your Master Password that you use for accessing your 1Password Vault
  • 1Password CLI. Install it in the same directory as the script(s) you’ll be running that will use this 1Pwd PowerShell Module.
    • A future enhancement will be to have it work with the CLI binary in a system path. Relative pathing for the background check for a valid session token requires specifying the specific location of op.exe. Otherwise the module fails in Windows PowerShell.

Test the 1Password CLI is accessible by running the following command that will return the 1Password CLI version. If you haven’t set up credentials yet you will also receive a message to that effect.

.\op.exe --version

Module cmdlets

The module contains 4 cmdlets.

Get-Command -Module 1Pwd | Sort-Object Name | Get-Help | Format-Table Name, Synopsis -Autosize | clip

Name                          Synopsis
----                          --------
Invoke-1PasswordExpression    Invokes a 1Password CLI command.
Set-1PasswordConfiguration    Sets the default 1Password Vault and credentials.
Switch-1PasswordConfiguration Changes the 1Password configuration to a different Vault.
Test-1PasswordCredentials     Tests if the configured 1Password CLI configuration is valid.

Configuration

To create a secure profile for use with the 1Pwd Module execute the following PowerShell commands with the user account on the computer that you will be using to retrieve/set 1Password Vault items. This will create the secure configuration under your Windows Profile for the logged-in user on the computer it was executed on. It can only be opened and the Secret Key and Master Password read using the same account on the same computer.

Set Credentials and Profile Info

Update the following with your Sign-In Address and Sign In Account (Email Address) retrieved above. You will be prompted to securely input your Secret Key and Master Password.

$1PSignInAddress = "https://my.1password.com"
$1PSignInAccount = "your@emailaddress.com"
$1PSecretKey = Read-Host "Enter your 1Password SecretKey" -AsSecureString
$1PMasterPassword = Read-Host "Enter your 1Password Master Password" -AsSecureString

Using the information input above the Test-1PasswordCredentials cmdlet is used to validate them and return your account details. Run it once without assigning the output to perform the initial sign in and create a session. Then run again assigning the output to a variable for use with saving your configuration.

Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword
$account = Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword

Save your configuration

Having successfully provided and validated your credentials the Set-1PasswordConfiguration cmdlet will securely store the configuration in the logged-in users’ local Windows Profile. When saving a configuration you can use the -default switch to specify that it is the default configuration. It will automatically be retrieved and a session created when the module loads.

v1.x CLI

Set-1PasswordConfiguration -Vault $account.domain -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default

v2.x CLI

Set-1PasswordConfiguration -Vault $account[2].Split(":")[1].trim() -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default

Storing and switching configuration profiles

The Switch-1PasswordConfiguration cmdlet allows you to switch vaults/configuration. This is useful if you have multiple accounts. Each configuration needs to be saved using Set-1PasswordConfiguration. When saving a configuration you can use the -default switch with Set-1PasswordConfiguration to specify which is the default configuration that will be loaded when the module loads.

To change the configuration for PersonalVault2 you would use the command.

Switch-1PasswordConfiguration -vault PersonalVault2

To switch to the PersonalVault2 configuration and make it the default use the -default switch.

Switch-1PasswordConfiguration -vault PersonalVault2 -Default

Automation of 1Password with PowerShell

The primary command/cmdlet that you will use after configuration is Invoke-1PasswordExpression. There is also the alias ‘1pwd’ to shorten the command.

1pwd = Invoke-1PasswordExpression

Invoke-1PasswordExpression

Invokes 1Password CLI command. Any command that the 1Password v1 CLI supports can be provided.

Any command that the 1Password v2 CLI supports can be provided.

The fundamental difference between the versions of the CLI is the command syntax. 1Password CLI 2 introduces a noun-verb command structure that groups commands by topic rather than by operation.

Example v1 CLI

Invoke-1PasswordExpression "list users"
# or
1pwd "list users"

Example v2 CLI

Invoke-1PasswordExpression "user list"
# or
1pwd "user list"

There is NO NEED to specify the op.exe executable or the –session –cache switches.

Example v1 CLI

List Vaults

Invoke-1PasswordExpression "list vaults"
# or 
1pwd "list vaults"

Example v2 CLI

List Vaults

Invoke-1PasswordExpression "vault list"
# or 
1pwd "vault list"

Example v1 CLI

Get Item Twitter

Invoke-1PasswordExpression "get item Twitter"
# or 
1pwd "get item Twitter"

Example v1 CLI

Get Item ‘Twitter Other Account’ e.g An Item with spaces

Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'"
# or 
1pwd "get item 'Twitter - darrenjrobinson'"

Example v1 CLI

Get the Twitter Vault Item and return the password

((Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value
# or 
((1pwd "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value

Example v2 CLI

Get Item Twitter

Invoke-1PasswordExpression "item get Twitter"
# or 
1pwd "item get Twitter"

Example v2 CLI

Get Item ‘Twitter Other Account’ e.g An Item with spaces

Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'"
# or 
1pwd "item get 'Twitter - darrenjrobinson'"

Example v2 CLI

Get the Twitter Vault Item and return the password

((Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'").fields | where-object {$_.id -eq 'password'} | select-object -property value).value
# or 
((1pwd "item get 'Twitter - darrenjrobinson'").fields | where-object {$_.id -eq 'password'} | select-object -property value).value

Version 2

The public version of v2 of this module inspired by the 1Password Hackathon

The module is in the PowerShell Gallery here and on GitHub here.

#1Password #BuildWith1Password