Over two years ago I authored a PowerShell Module that enabled the automation of 1Password. I created the module because I wanted to be able to:
I published that module for others thinking it may be useful for others too. In fact almost 96k other people found it interesting.
In March 2022 1Password released CLI 2. It included several great new features such as biometrics. BUT it also changed the command schema. It broke my module. CLI 1 was working just fine for all my needs so I just carried on.
With CLI 2 now up to version 2.18.0 it was time to update the module and provide support for it in my module. I had made a few changes to see what I needed to do to support CLI 2 but I had never publically updated anything.
Seeing the 1Password with Hashnode Hackathon in my feed was the motivation to clean up updates to the module and publish it.
Here is v2 of my 1Password CLI PowerShell Module. The details for v1 can be found here.
The 1Pwd PowerShell Module:
Install from the PowerShell Gallery on Windows PowerShell 5.1+ or PowerShell Core 6.x or PowerShell. You can also download it from GitHub here.
Install-Module -name 1Pwd
To use this module you will need:
Test the 1Password CLI is accessible by running the following command that will return the 1Password CLI version. If you haven’t set up credentials yet you will also receive a message to that effect.
.\op.exe --version
The module contains 4 cmdlets.
Get-Command -Module 1Pwd | Sort-Object Name | Get-Help | Format-Table Name, Synopsis -Autosize | clip Name Synopsis ---- -------- Invoke-1PasswordExpression Invokes a 1Password CLI command. Set-1PasswordConfiguration Sets the default 1Password Vault and credentials. Switch-1PasswordConfiguration Changes the 1Password configuration to a different Vault. Test-1PasswordCredentials Tests if the configured 1Password CLI configuration is valid.
To create a secure profile for use with the 1Pwd Module execute the following PowerShell commands with the user account on the computer that you will be using to retrieve/set 1Password Vault items. This will create the secure configuration under your Windows Profile for the logged-in user on the computer it was executed on. It can only be opened and the Secret Key and Master Password read using the same account on the same computer.
Update the following with your Sign-In Address and Sign In Account (Email Address) retrieved above. You will be prompted to securely input your Secret Key and Master Password.
$1PSignInAddress = "https://my.1password.com" $1PSignInAccount = "your@emailaddress.com" $1PSecretKey = Read-Host "Enter your 1Password SecretKey" -AsSecureString $1PMasterPassword = Read-Host "Enter your 1Password Master Password" -AsSecureString
Using the information input above the Test-1PasswordCredentials cmdlet is used to validate them and return your account details. Run it once without assigning the output to perform the initial sign in and create a session. Then run again assigning the output to a variable for use with saving your configuration.
Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword $account = Test-1PasswordCredentials -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword
Having successfully provided and validated your credentials the Set-1PasswordConfiguration cmdlet will securely store the configuration in the logged-in users’ local Windows Profile. When saving a configuration you can use the -default switch to specify that it is the default configuration. It will automatically be retrieved and a session created when the module loads.
v1.x CLI
Set-1PasswordConfiguration -Vault $account.domain -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default
v2.x CLI
Set-1PasswordConfiguration -Vault $account[2].Split(":")[1].trim() -SignInAddress $1PSignInAddress -SignInAccount $1PSignInAccount -SecretKey $1PSecretKey -MasterPassword $1PMasterPassword -Default
The Switch-1PasswordConfiguration cmdlet allows you to switch vaults/configuration. This is useful if you have multiple accounts. Each configuration needs to be saved using Set-1PasswordConfiguration. When saving a configuration you can use the -default switch with Set-1PasswordConfiguration to specify which is the default configuration that will be loaded when the module loads.
To change the configuration for PersonalVault2 you would use the command.
Switch-1PasswordConfiguration -vault PersonalVault2
To switch to the PersonalVault2 configuration and make it the default use the -default switch.
Switch-1PasswordConfiguration -vault PersonalVault2 -Default
The primary command/cmdlet that you will use after configuration is Invoke-1PasswordExpression. There is also the alias ‘1pwd’ to shorten the command.
1pwd = Invoke-1PasswordExpression
Invokes 1Password CLI command. Any command that the 1Password v1 CLI supports can be provided.
Any command that the 1Password v2 CLI supports can be provided.
The fundamental difference between the versions of the CLI is the command syntax. 1Password CLI 2 introduces a noun-verb command structure that groups commands by topic rather than by operation.
Invoke-1PasswordExpression "list users" # or 1pwd "list users"
Invoke-1PasswordExpression "user list" # or 1pwd "user list"
There is NO NEED to specify the op.exe executable or the –session –cache switches.
List Vaults
Invoke-1PasswordExpression "list vaults" # or 1pwd "list vaults"
List Vaults
Invoke-1PasswordExpression "vault list" # or 1pwd "vault list"
Get Item Twitter
Invoke-1PasswordExpression "get item Twitter" # or 1pwd "get item Twitter"
Get Item ‘Twitter Other Account’ e.g An Item with spaces
Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'" # or 1pwd "get item 'Twitter - darrenjrobinson'"
Get the Twitter Vault Item and return the password
((Invoke-1PasswordExpression "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value # or ((1pwd "get item 'Twitter - darrenjrobinson'").details.fields | where-object {$_.designation -eq 'password'} | select-object -property value).value
Get Item Twitter
Invoke-1PasswordExpression "item get Twitter" # or 1pwd "item get Twitter"
Get Item ‘Twitter Other Account’ e.g An Item with spaces
Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'" # or 1pwd "item get 'Twitter - darrenjrobinson'"
Get the Twitter Vault Item and return the password
((Invoke-1PasswordExpression "item get 'Twitter - darrenjrobinson'").fields | where-object {$_.id -eq 'password'} | select-object -property value).value # or ((1pwd "item get 'Twitter - darrenjrobinson'").fields | where-object {$_.id -eq 'password'} | select-object -property value).value
The public version of v2 of this module inspired by the 1Password Hackathon
The module is in the PowerShell Gallery here and on GitHub here.
#1Password #BuildWith1Password
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
Today Microsoft made big announcements about its Microsoft Entra suite of identity and security products…
This website uses cookies.